Windows XP end-of-life support is just a week away and a stunning 95 percent of ATMs around the world haven’t made any changes to their platform or updated the soon to be outdated Operating System (OS). According to a recent ATMIA (ATM Industry Association) survey, only 15 percent of financial institutions are expected to react before the April 8 cut off.
Why the hesitation from financial institutions to adopt a new operating system? According to a recent survey of over 1,000 organizations, 42 percent of respondents cited budget as a major issue. This includes the banking vertical.
[For More Recent News on ATM’s: How Citi’s New ATM’s Will Enable New Branch Formats]
It is estimated that there are about 420,000 working ATMs in the United States and upgrading is no small undertaking. While newer ATMs can be updated “over the wire”, older versions require a manual upgrade, which literally involves sending expensive IT talent to remote ATM locations. If the machine is not updated before April 8 and a vulnerability becomes known, it leaves the ATM wide open to hackers – and because security hot fixes will not be made available, it is entirely possible that no mitigation, besides a full upgrade, will be available.
More concerning is that vulnerabilities found on newer operating systems may also exist on XP. When these vulnerabilities are patched in Windows 7, they provide a roadmap to Windows XP access. While Windows 7 is the logical upgrade path, some of the older machines may not be able to support the OS and need to be replaced altogether, causing the overall cost to upgrade to surge.
April 8 doesn’t represent an XP apocalypse, but it is the day that can end up costing a financial institution far more than expected – and not just in cash. While an IT move this big may be overwhelming for banks to take on, the third party breaches and point of sale hacks in the news recently point to how detrimental an attack can be to any organization. Regulations ensure that banks, not customers, will foot the bill of any theft. And it’s clear – and somewhat concerning - that this industry in particular has been slow to react and make necessary changes.
For banks this is a big expense and big hassle to fix. Consumers don’t need to stay awake at nights worrying about losing their money, but they may want to keep a watchful eye on their accounts for suspicious activity.
As with any forced technological shift, the EOL of XP creates an opportunity for financial institutions (FI) to evaluate new, more strategic ways of working. One option worth considering is to virtualize ATMs and move all software and operating systems to the bank’s (or service provider’s) protected network. The benefits, especially in the instance of ATMs, are numerous. Instead of storing data on physical computers, virtualization allows FIs to eliminate storage on local ATMs and store it in the cloud.
According to analyst firm Ovum, moving certain functions or applications to the cloud could help cut down damages and protect a customer’s data if a machine is compromised. Many already use the cloud in some form and others plan on further integration to help cut costs and streamline processes in 2014. Cloud or VDI options as a long term investment would be a strategic next step as XP is dissolved, especially considering the frequency of new OS updates and the necessity for disaster-proofing and securing data at all times. Virtualization may still require hardware changes (zero clients or more powerful PCs) and physical upgrades (OS lockdowns, virtualization clients), but when the effort has been made, the bank is in a significantly better spot to ensure that the next EOL will not cost (or risk) the same.
With time running out, it is critical for bank executives and IT managers to devise a plan that will provide for a seamless migration to a new operating system that will safe guard sensitive data without disrupting customer experience. Organizations, including FIs, would be wise to develop security plans now and ensure they fully understand how the end of XP could affect their business if machines are exposed to malware after April 8. They need to identify and prioritize key areas that would suffer the most if not upgraded and evaluate an option – including a move to virtualization - to not only expedite the upgrade process, but also increase the potential for long term cost savings, reliability and the best way to future-proof their infrastructure.
Scott Kinka is the CTO of Evolve IP, a cloud services provider.