News Releases3 min read

Nearly Half of U.S. and U.K. Companies Still Using Windows XP a Year after End of Life, According to Bit9 + Carbon Black Survey

Running unsupported OS exposes potentially millions of files to myriad security vulnerabilities

WALTHAM, Mass.—May 7, 2015—Bit9® + Carbon Black®, the leader in endpoint threat prevention, detection and response, today announced that 44 percent of enterprises are still using Windows XP, more than a year after Microsoft ended extended support for the operating system, according to a survey the company conducted.

In its “Windows Server 2003 (WS2K3) End-of-Life Survey,” Bit9 + Carbon Black polled IT leaders at 500 medium and large enterprises in the U.S. and U.K. with at least 500 employees and discovered that 34 percent of organizations are still using a combination of Windows XP and Windows Server 2003. Another 10 percent of organizations continue to use Windows XP exclusively.

Once an operating system reaches end of life, organizations still running it need to protect those endpoints either with compensating security controls or by paying for custom support from Microsoft, which now costs an estimated $400 per machine. Doing nothing exposes potentially millions of files on XP machines to myriad vulnerabilities.

“More than a year after the end-of-support deadline for XP, the fact that 44 percent of companies surveyed are still using it is startling,” said Chris Strand, PCIP, senior director of compliance and governance for Bit9 + Carbon Black. “Companies that have been running Windows XP without compensating controls—such as application control combined with continuous monitoring solutions—have been exposed to a host of possible exploits that may have allowed hackers to take advantage of the vulnerabilities associated with the unsupported machines. These vulnerabilities could lead to the compromise of companies’ critical infrastructure and loss of essential information—including customers’ personal data.”

The Bit9 + Carbon Black WS2K3 End-of-Life Survey measured organizations’ preparedness with respect to the Windows Server 2003 deadline, coming this July. In that regard, the survey found that an estimated 2.7 million servers—potentially containing hundreds of millions of files will be unprotected after July 14, 2015, the end-of-life deadline.

With the one-year anniversary of the Windows XP extended support deadline having now passed, the response to the Windows XP question in the survey “jumped off the page,” Strand said.

Following the April 8, 2014 XP deadline, many organizations arranged with Microsoft for a premium support contract. The cost of such support began at approximately $200 per endpoint. In April 2015, the cost of running Windows XP with a “custom support agreement” (CSA) doubled to $400 per endpoint, according to media reports.

CSAs are typically negotiated on an individual basis and require that an organization has adopted a top-tier support plan—dubbed Premier Support—by Microsoft.

“Microsoft has made it abundantly clear that it’s time to upgrade or implement effective compensating controls for Windows XP,” Strand said. “The security risks associated with running an unsupported operating system are vast. Now, it seems, the financial risks are very large as well.”

About Bit9 + Carbon Black
Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable. More than 1,000 organizations worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services.

Bit9 and Carbon Black are registered trademarks of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.