Security News
Get Scanguard Login

Is Your Local Council Using an Ancient Server?

An IT company has surveyed UK councils and boroughs, and found that 24% are using out-of-date and unsupported software on their servers

Published by Claire Broadley

Three councils admitted that they are still using Windows Server 2000, with other councils admitting that their servers are running Windows Server 2003 or SQL Server 2005.

Microsoft does offer support for a limited time once one of its operating systems is outdated, but there is an eventual cut-off point. Support beyond that date has to be paid for. Eventually, the operating system will be considered to be unsupported. So while a handful of the councils that responded are using Windows Server 2008, only 13% are paying for the extended support.

Overall, 95 councils responded to the Freedom of Information request.

Out of Date Windows Servers Spell Trouble

The use of out-of-date software is a real concern; ransomware, malware, and viruses can take hold very quickly if software is not kept up-to-date. We only have to look at the rapid spread of WannaCry across the NHS to see why running old, unpatched computers can result in catastrophe for service users, with massive and entirely avoidable costs.

Comparex, the company who filed the Freedom of Information requests, points out that Windows Server 2003 has 150 known and unpatched vulnerabilities that are well-known and well-documented on the web.

 

In this research, the councils did not say what the servers are used for, so it’s impossible to guess what the implications would be if they were breached. With various demands competing for council budgets, updating servers -- and investing in all the related support, disaster recovery, backups, and support -- is unlikely to be top of the list. However, it’s clear the pace of change needs to speed up quite rapidly to ensure citizens’ data is protected.

Investment in Up-to-Date Software

In the public sector, upgrading and replacing old IT equipment can be seen as an expense that can be delayed for next year providing the servers appear to be working well. In an age of deep government cut there can be a temptation for cash-strapped councils to try to get by with what they have rather than investing for the future.

Comparex found that 94% of the councils running Windows Server 2000 or Windows Server 2003 planned to upgrade their server software within two years, but in the age of GDPR, this still creates considerable risk. Councils cannot feign ignorance; personal data is now serious business. And if a data breach occurs, they need to report it to the people affected within 72 hours and put time and resources into ensuring that people are informed and protected. Not all councils would have the resources to manage this effectively.