RobertRutherfordby Robert Rutherford, CEO of the business & technical consultancy QuoStar 

Windows 2003 support will end on July 14th 2015, however many law firms remain using Windows Server 2003 machines that will not be migrated by the deadline. This should not be the case and IT departments ought to have already cleared out this old operating system. For those firms that have not done this due to financial reasons, remember, this isn’t a matter of saving money; not acting could put a law firm at great risk from forceful and targeted cyber attacks.

When deciding your next step in deciding whether to migrate from Windows 2003 or not you need to be questioning whether it is actually worth the risk of data being stolen with the subsequent embarrassment to the firm and also the threat of a regulatory compliance breach. Falling foul of the regulators can bring significant costs – under EU General Data Protection legislation firms can be charged fines of up to two per cent of annual turnover for a breach. Data is not the only thing that is threatened; central systems such as email and case management could also be breached by hackers or malicious coding.

Understanding the threats
Recently there have been a few security vendors that have begun to claim that they are able to protect your systems despite you still running on 2003. Speaking generally, this is not the case. The reason for this is because the weak links tend to come in the forms of processes or a people. Remember, firewall protection will not be enough, neither will any staff and organisational protocols that are implemented.

Removing Windows support will mean that any 2003 servers within the firm are at risk from a vast array of threats. If your server directly faces the internet simply relying on a firewall may be ineffective as malware and zero day threats will be targeting vulnerabilities which are not patched and the firewall may not know about. Furthermore, the lack of security patches can make the server an easy access point for hackers into your systems. If the server is used to access the internet you also run the risk that malicious code will penetrate the server and ultimately the Local Area Network (LAN)/Wide Area Network (WAN) it sits on.

A further source that is a major risk originates from computers and other connected hardware in a LAN. Even if PCs, laptops and other servers are not infected, they can still potentially pass on an infection to an unprotected Windows 2003 server. Similarly, as viruses such as Flame and Stuxnet have showed, USB storage devices can also carry threats when plugged in. These pose a mobile threat that can be brought in from external people, whether because they are contract workers or perhaps they are pitching a product and have the presentation saved on a memory stick. Without the Window’s patches such devices become an even greater threat to your data security.

The next few months will likely see the risks to Windows 2003 servers grow since hackers will be waiting until the support has ended before taking action. Do not allow this inactivity to lull you in to a false sense of security; the attacks will come. The worst attacks will continue for six to nine months and will then begin to ease off after once the softer targets have been hit.

Developing a solution 
For those that have left it too late to switch from their Windows Server 2003, there are several critical actions that need to be taken in order to protect your environment.
1. Keep the server from being directly connected to the internet through the use of a firewall device and keep it separate from the LAN via a Virtual Local Area Network (VLAN) at the least.
2. Do not allow any external devices to be plugged into it at all.
3. Begin planning the migration of services off the Windows 2003 server.

Get a plan
The most important thing that should be done before Windows 2003 support ends is to put together a plan that will protect your services as soon as possible. This can be a complex and difficult task, so either you need to start planning immediately or you should bring in a consultant quickly.
When developing your plan there are number of elements that need to be factored into account. The following are the key considerations that need to be considered:
1. Will the existing hardware support new operating systems and/or software?
2. Will other applications work on the new operating systems and/or software?
3. Will third party application vendors support their applications on a new platform?
4. How will you overcome compatibility issues?
5. Do IT staff require training to roll-out and manage the new operating systems and/or software?
6. Will other employees need training to use the new operating systems and/or software?
7. How long will it take to test everything?
8. What resources are needed to roll the new operating systems and/or software out?
9. How long will it take to roll the new software out?
10. What do you need to budget for? For example, you can go for a fully managed cloud option, your own private cloud option, or simply replace servers and software in your own office.

Financing the move
If financial concerns have been the reason for avoiding upgrading your system its useful to remember that you can turn this into an Operational Expenditure (OpEx) rather than a Capital Expenditure (CapEx). Making this change can really help with your firms budget planning.
There are also product and payment methods to consider. In terms of the different services to choose from, there is a fully managed cloud option, a private cloud option, hybrid cloud, or having the servers and software replaced. Whichever option is chosen it should now be possible to finance development and consultancy work and also have the whole cost wrapped up in monthly payments.

In short, the continued success and stability of your legal firm depends on how you act now. Failure to do so will put you at the mercy of hackers who can leave you open to regulatory concerns, significant fines and also negative coverage in the media. Not taking action now is like knowing the bedroom window lock is broken and deciding to do nothing about it; in all likelihood at some point someone is going to get in.