Businesses and governments across Canada could make themselves and their customers vulnerable to hackers and lose the ability to accept credit cards if they don't upgrade a 13-year-old Microsoft operating system within the next couple of months.
On July 14, Microsoft will end support for Microsoft Server 2003 — software that, as of March, was driving 380,000 servers at businesses of all sizes and government offices across the country.
Here's what you need to know:
Who uses Windows Server 2003?
According to Daniel Reio, director of marketing for CDW Canada, which describes itself as a technology solutions provider, Windows Server is the dominant operating system for servers among Canadian businesses.
Microsoft says about 40 per cent of installed Microsoft Windows Server software is the 2003 version, despite the availability of 2008 and 2012 versions. About 220,000 of the servers belong to small and medium-sized businesses, while the rest are split between large corporations and different levels of government.
What's it used for?
The servers host corporate websites, email, files, databases and a wide range of other business applications for managing reservations, customer service etc.
Why do so many businesses still use Windows Server 2003?
Jason Hermitage, vice president of marketing and operations at Microsoft Canada, says businesses typically upgrade less often than consumers.
"For many, if it's not broken, don't fix it."
What happens on July 14?
Once the deadline passes, Microsoft will no longer issue automatic fixes, security patches or offer technical assistance.
What are the risks to businesses and their customers?
Newly discovered security holes will remain available for cybercriminals to exploit.
That's a big risk, as servers don't just host a company's private information, but also that of customers. And a company could face legal risks for not properly protecting that data, noted Reio.
What happens if systems aren't upgraded by July 14?
The software will still work, Hermitage said. But security vulnerabilities won't be patched.
Reio notes: "And as time goes on, past July, the risk is just going to get worse."
That's because more and more unpatched vulnerabilities will be discovered for criminals to exploit.
This year alone, Microsoft issued 32 security patches for its Windows Server operating systems, said Hermitage.
How will this impact customers' credit card payments?
The vulnerabilities could lead to businesses losing the ability to accept credit cards. Companies that accept plastic must maintain certain IT security standards. Otherwise, companies like Visa and Mastercard refuse to work with them.
Sticking with Windows Server 2003 after July 14 will breach the standards, unless users devote lots of resources to compensating, says ControlScan, a company that produces software that ensures payment card industry standards compliance.
"Basically, you would have to go way above and beyond to cover for the use of 2003," wrote Steve Robb, vice president of operations and development at ControlScan, in a blog post in April.
Will Canada's federal government make the deadline?
According to the Treasury Board, the Government of Canada has about 8,000 servers running Windows Server 2003, which will be retired over the next two years. It says the government is working with Microsoft "to ensure that we have the support to maintain safe and security operation until the retirement program is complete."
What are some options for companies that need to upgrade?
Hermitage says there are two main options for customers:
- Upgrade to new server software and migrate to new servers.
- Use cloud services instead of their own servers.
Microsoft has some assessment and planning tools available online to help those still deciding how to upgrade.
Why have some companies not upgraded yet?
CDW Canada recently conducted a survey of some of its clients to find out the biggest challenges to upgrading. The top ones were:
- The cost.
- A lack of resources.
- The difficulty of choosing a replacement.
"The biggest challenge is actually choice," said Reio.
How long does it take to upgrade?
That varies widely, but it typically takes 150 to 200 days for a big company, said Vinay Nair, Microsoft's data centre lead. It takes much less time for a smaller company with just one or two servers.
Vineet Gupta, executive vice president and chief information officer at the hotel chain Fairmont Canada, said his company has been working on upgrading its servers — about 115 worldwide — for around nine months and expects to be done later this year. One challenge is ensuring compatibility with the other software the company uses, he said.
Are there any options for companies that don't want to upgrade?
Companies that subscribe to Microsoft Premier, the company's extended support service, can work with it on a custom support plan, but Hermitage doesn't recommend that: "Really, the best path for customers is to get off 13-year-old technology."
Are there any other advantages to upgrading?
Hermitage says switching to cloud services can cut costs drastically and could mean businesses won't ever have to upgrade again.
Gupta says Fairmont has reduced its number of servers by 40 per cent by creating its own private cloud that some hotels can use instead of their own servers.
Hermitage says upgraders will also get better features and performance.
"Using a 13-year-old technology in this internet time … it's like putting your wife and small kids in 1920s car and driving down the 401," he said. "So it really is an opportunity for small medium and large businesses to modernize infrastructure and take advantage of new capabilities we have released."