The ghost of Windows XP still haunts SMBs

Windows XP security issues are causing business to fail the government’s brand new Cyber Essentials programme, according to one of the scheme’s certification bodies.

Emma Philpott, CEO of the IASME consortium, which helped set up and now certifies SMBs for the the government’s Cyber Essentials programme, told delegates at the ISSE conference in Berlin this week that around 25 small businesses failed the certification standards, mainly because they are still using Windows XP.

Redmond put the aged operating system out to pasture in April 2014, meaning it has not been receiving security updates since support ended then.

“This is usually the reason why they can’t pass in a couple of days. Windows XP is used by so many companies, big and small,” said Philpott. “If a company is using Windows XP, or any unsupported software, they cannot get Cyber Essentials unless it is completely ringed off and separated.”

Many small businesses, she said, also feel that cybercrime is not something they need to worry about and that it isn’t something that will affect them, despite the government and industry setting up the Cyber Essentials scheme to help organisations protect themselves against common cyber attacks.

“The number of times people say to me ‘oh, we run a small company so other government states aren’t going to try and hack in and steal our secrets’,” said Philpott.

“They don’t have any comprehension that the biggest threat is cybercrime and that it’s the crime on a massive scale that is probably going to get their money,” she said.

There is also a problem of comprehension, she said, adding that much of the guidance is complicated enough that small businesses may not be able to follow it even if they want to.

Security also ends up near the bottom of small businesses’ list of priorities as they have more pressing immediate issues, such as cashflow and staffing.

“These are going to bring them down faster than a cyber breach, in their minds,” said Philpott.

However, SMBs in particular can have an easier time getting ready for certification because it can be less expensive to change systems or implement new ones, but they have to be helped to do this.

“Whatever you do with small companies, it has to be simple – they have to understand it,” Philpott said, adding that it is very easy for those in the security industry to use jargon that non-specialists will not understand.

Also, security professionals need to encourage as well as criticise SMBs.

“We have to make it positive,” she said. “I always talk about eating healthily: I confess, I don’t always eat five pieces of fruit and vegetable a day, but it doesn’t mean to say I only eat sausages.

“So with small … companies, maybe they can’t get Cyber Essentials today, maybe they’re not doing all those great things, but are they doing onething? Maybe tomorrow they can do another thing, and that should be celebrated.”