"XP has been supported for a long time. We need customers to move off of it because of the security. XP gets less secure every year," Murphy said.
The Microsoft official also points out that, beyond the security dangers, businesses also sacrifice productivity. More and more, third-party software vendors will stop supporting the XP versions of their applications, while fewer and fewer hardware devices — PCs, printers, peripherals — will work with it. Windows XP also lacks the substantial technology improvements for end users and IT departments Microsoft has delivered with the OS editions that came after it. "XP was great in its day, but its time has passed," Murphy said.
Options for mitigating the risk
There are a variety of reasons why Windows XP remains in businesses, including ignorance about the risk, unwillingness to spend to upgrade and the existence of important applications that haven't been ported to newer versions of the OS.
David Johnson, a Forrester Research analyst, said he has been fielding many inquiries from companies that are struggling to move completely off of Windows XP because they need it to run custom applications built in-house for the OS or by software vendors no longer in business.
Gartner has also been hearing from many frazzled IT chiefs. "We have a lot of organizations calling us every day asking us what to do," Silver said.
Whatever the reasons, businesses that will have PCs on Windows XP for the foreseeable future must take steps to reduce the risk of using an unpatched OS. "Organizations that haven't done anything regarding their Windows XP PCs could be in serious trouble," Silver said.
Large organizations with deep pockets have the option of buying extended support from Microsoft, but this alternative is affordable and available only to a small number of companies.
For most other businesses, recommendations from experts such as Directions on Microsoft and from Microsoft's security team focus on two main areas: securing Windows XP itself as much as possible, and limiting what these PCs can do within corporate networks and on the Internet.
Securing Windows XP includes making sure that it's on the most recent SP3 version, that all available patches and updates have been applied to it, and that a full-featured security suite with antivirus and firewall is installed and current on the PC. User rights on these PCs should be downgraded, so that they don't have administrator privileges.
It's also important to use Windows XP with browsers that still support it, such as Google's Chrome and Mozilla's Firefox, and not with IE8, which is also falling out of the update cycle. Unnecessary and insecure browser add-ons, controls and plug-ins should be uninstalled.
Sign up for CIO Asia eNewsletters.