Almost half of English local authorities are still using old software that poses security risks, according to the responses to a series of freedom of information (FoI) requests.
Software licence management company Comparex UK has highlighted the issue after receiving responses from 81 of 95 London boroughs, metropolitan and county councils to which it submitted requests.
It found that 46% are still using one or more of Windows Server 2000, Windows Server 2003, or Microsoft SQL Server 2005. All three products are now out of extended support, meaning customers no longer receive regular security patches.
Almost a quarter (24%) of respondents said they were still running Windows Server 2000 or Windows Server 2003, which has been identified as having nearly 150 significant known vulnerabilities. Nearly all of the councils affected indicated plans to upgrade within the next two years.
Nearly two-fifths (38%) said they were running Microsoft SQL Server 2005, with 88% stating they were planning to upgrade in next couple of years.
Almost all (94%) said they were also running Windows Server 2008 and Windows SQL Server 2008. Both products are already out of mainstream support, with extended support ending in the next two years.
The responses also revealed that just 13% of councils were currently paying for extended support for Windows Server 2008, while 9% were paying for extended support for Windows SQL Server 2008.
Exposed to risks
“By continuing to run out-of-date server software, many councils are exposing themselves to a host of security and compliance risks,” said Chris Bartlett, business unit director, public sector for Comparex UK.
“The FoI data suggests that matters are slowly improving, as separate FOI requests to London borough councils back in 2016 showed that 70% were running unsupported server software. However, with the General Data Protection Regulation now in effect, councils need to be even more cognisant of vulnerabilities – especially considering the volume of citizen data they hold. With that in mind, it is important that risks are managed, and councils establish an upgrade strategy.”
He added that councils should look to upgrade their software as soon as possible and that any not paying for extended support are increasing the risks.
Image: http://eng-cs.syr.edu/research/cybersecurity
