For the second time this year, a major public service in the UK, Greater Manchester Police (GMP), has come under public scrutiny for running out-of-date software – specifically, Windows XP. In fact, the BBC reported that as many as 1 in 5 GMP devices are still running XP – an extraordinarily high proportion. Earlier this year, of course, the same outdated OS made the UK’s National Health Service the first standout victim of the devastating WannaCry ransomware attack.
Over the past 20 years, I have worked with hundreds of public sector organizations in both the U.S. and the UK, helping them keep their Windows systems current. I’ve noticed several common challenges faced by the public sector when it comes to this increasingly difficult challenge. (Some are of these challenges are also prevalent in the private sector, but not to the same degree.) In the public sector, main challenges to staying current are typically application compatibility, budgets and skills.
Greater Manchester Police cited the incompatibility of some crucial applications with more recent versions of Windows as a key reason that it maintains Windows XP on so many devices.
No question, application compatibility is a crucial workstream when preparing for a Windows migration. If you think about a typical application estate for a typical organization, there will be a number of apps that only certain parts of that organization will use. Take finance, for example. They’ll probably have SAP, some add-ons to Excel, and other legacy applications. Some of those won’t be compatible with newer operating systems. This requires IT teams to ask some difficult questions: “Do we actually need this application? Is there a more modern and secure alternative? Can the app be virtualized? Can the device be ported to a safer operating system?”
If users really can’t do without the app, and can’t update it, then IT needs to consider excluding certain areas from the OS migration, and enhancing the security around those areas. This can mean steps such locking down firewall ports, so that viruses can’t land and use them as boxes to bounce off and propagate through.
Application compatibility is a challenge for every organization, public or private. In the public sector organizations I’ve worked with, however, such as government bodies and hospitals, there can be incredible budget and resource constraints that can discourage the process of confronting them, which means public sector IT teams put up with outdated software longer than most others would.
Budgets and skills
Often in the public sector, you’ll find IT departments that are staffed very thinly. Yet, these departments must be very widely skilled: they’re expected to support Configuration Manager, support and deploy applications, fix Exchange problems, address hardware faults, respond to malware incidents – the list goes on and on.
This naturally results in teams comprised of people with a lot of skill breadth but often not a lot of depth. This has several repercussions. One is that it can make OS migrations daunting. Another is that teams aren’t technically skilled enough to know how to automate certain facets of software updates – the very thing that could alleviate the demands on their time while also keeping systems more current and secure. The net effect of that is that these organizations get farther and farther behind on their migrations and on application patching as well, until suddenly they find 1 out of 5 of their devices are running an OS that is 16 years old and two years past end-of-life support.
Automation is the key, as doing anything manually through IT staff on each endpoint is prohibitively expensive. I sometimes wonder why senior IT folks struggle to realize this simple mathematical fact. If IT staff must spend 2 to 4 hours on each Windows machine during a Windows upgrade, then the project is going to be of significant cost in any sizable organization. Furthermore, in a typical organization in a typical year, nearly half of PCs are either rebuilt due to technical issues or because the hardware needs to be replaced. An investment in automation can reduce the time spent on most PCs to zero.
So how can public sector companies improve their ability to stay current?
So how can public sector organizations improve their ability to stay current on software? The first step is a software audit, to assess how many devices are out of date, and by how much. You can’t fix the problem until you know its scope. Some network configuration tools enable IT teams to do this quickly and easily – you may already have the tools you need.
Next, explore software update automation options – there are several available, and while they do require an upfront expenditure, they will save you money and a lot of time in the long run by helping to accelerate patching and OS migrations and most importantly reducing your exposure to attacks like WannaCry. You can’t put a price on breach avoidance.
The most crucial thing that needs to happen, though, is that senior executives need to mandate that software and operating systems stay current. A senior public-sector worker once told me, “In the public sector, no one is fired for following process” – meaning the outcome is less important than whether the official policy or process was followed.
Today, there is simply no mandate to stay current. There may be general guidelines, but no one gets fired (or even appraised) for not doing so. And then even if the will is there to do better, there is no public-sector benchmark that can be used to measure the organization against. While there isn’t any such benchmark in the private sector either (and perhaps there should be), in the private sector other business drivers often provide the stimulus to upgrade or stay current. The public sector needs guidance and motivation to meet its targets, rather than just appalled post-mortems when its software shortcomings come to light.