So far, the evidence suggests Windows 8 has hardly been the gleaming success that Microsoft no doubt hoped it would be. Microsoft might argue that Windows 8 has met sales expectations by selling over 60 million licences since it began shipping in October, but industry analysts such as NPD Group insist that the touch-optimised operating system has gotten off to a “slow start”.
Indeed, the uptake has been so slow that the likes of research firm IDC has apportioned a significant amount of blame to Windows 8 for a worse-than-expected dip in PC sales during the last quarter of 2012. The firm argued that the new OS failed to spark a surge in PC buying, because Microsoft failed to make the benefits of its new software clear to prospective customers.
To top it all off, Windows 8’s security features, which now come in the form of Windows Defender, have also been called into question, with antivirus vendors only too keen to show the new software’s shortcomings. Of course, many of these accusations can be taken with a pinch of salt – after all, why would an antivirus vendor say that there is no need for extra security? – but the sheer amount of criticisms suggest that Microsoft may very well have missed a beat on this issue.
For example, in December 2012, independent antivirus research lab AV-Test performed a comparative review of Kasperksy Internet Security and Windows 8’s built-in security components. The findings suggested that Microsoft’s built-in solution missed 11.9% of attacks in Real World testing, and detected only 90% of malicious samples during an on-demand scan. Kasperksy’s solution, on the other hand, detected 99% of the malware samples.
Windows Defender might be better than having no antivirus software at all, then, but for some users, particularly those who may adopt Windows 8 as an enterprise OS, not being able to detect 10% of malicious samples is too big of a risk to take. What’s more, detecting threats is only the tip of the iceberg when it comes to providing proper security, according to a number of experts.
“While Windows Defender has been making progress in detection and achieving some solid results, it doesn’t provide the full range of capabilities that businesses need and expect to fend off cyber criminals,” says James Lyne, Director of Technology Strategy, Sophos. “Effective security today requires an approach of ‘defence in depth’ – that is putting in place a range of different controls layered together to achieve effective protection.
“Depending on one single type of control such as antivirus is no longer a viable strategy for any business. Equally, reporting and audit of security controls across the estate is a critical requirement – a job that is still done significantly better by third-party security providers.”
Nicolai Solling, Director of Technology Services, Help AG, agrees that there is much more to providing comprehensive security than simply being able to check for viruses in files. “Advanced-level endpoint security addresses user behaviour control, device management, corporate policy and network access control, which are all areas where Windows Defender has some progress yet to make,” he says.
That said, both men argue that Windows Defender, as a concept, is a good thing, because it means that Microsoft has invested in a baseline security system that comes bundled with the operating system. Indeed, they say that the new OS offers some useful changes that will continue to make life more difficult for cyber criminals.
“Some of the new features help significantly, such as making it way harder for malware to load as a rootkit,” says Lyne. “In Windows 8, providing you have a computer with the required hardware, the operating system boot loader is signed with a certificate that allows the device to identify whether the code being loaded is genuine Microsoft or a nasty piece of malicious code. As with anything, such capabilities aren’t entirely bulletproof but they raise the bar for attackers.”
Solling concurs, explaining, “If you look under the hood, a lot of very nice features have been done, such as dynamic memory allocation randomisation, rootkit detection and trying to simplify the security interface for users.”
It would seem, then, that contrary to what many security vendors would have customers believe, Microsoft really has stepped up its security game with Windows 8. Windows Defender alone might not provide enough protection at the enterprise level – or even the consumer level – but it is a step in the right direction in terms of base-level security.
What’s more, the experts claim that it is difficult to blame Windows 8’s security features on the lukewarm uptake of the new software. The fact that many companies only recently finished deploying Windows 7 is perhaps a bigger reason for the apparent lack of interest in Windows 8.
“Many organisations I am talking to have only just finished their deployment of Wndows 7, a project which took them between six and 18 months, depending on the scale of the project,” says Lyne. “For that reason, many organisations are not yet ready for an upgrade cycle to Windows 8 and plan to stick on Windows 7 for a little longer.”
Solling confirms that Windows 8 adoption is significantly slower than Windows 7 adoption was. He says that Windows 7 had a user base penetration of approximately 5% one month after launch, and that the figure for Windows 8 stands at less than 1.5%. However, he also points out that new hardware requirements and the fact that updating to a new OS is never high on a company’s agenda have contributed to a slow start for Microsoft’s new operating system. Security, it seems, is not the issue.
“It shouldn’t be a major surprise that businesses are being a little tardy,” he says. “Remember how long everyone used Windows XP – and avoided Vista – before upgrading to Windows 7?”
Of course, a number of companies have already upgraded to Windows 8. In the Middle East, Microsoft Gulf made a reasonably big announcement about the fact that Union National Bank (UNB) was upgrading parts of its IT infrastructure to the new operating system. UNB said that the new IT model will be the first of its kind in the UAE’s financial sector, and seemed only too happy with the upgrade.
Commenting on the agreement Zuhair Sulaiman, SVP and CIO, UNB, said: “This partnership will serve as an important vehicle for business growth by giving UNB the opportunity to be the first in implementing and exploring the business benefits of Windows 8.”
But should the bank – and its customers – have any extra security concerns as a result of the switch? According to Lyne, there shouldn’t be an issue.
“Upgrading to Windows 8 isn’t a bad decision for businesses from a security perspective as it builds in new capabilities and improves on security from prior versions,” he says, going one better than Solling, who simply says that Windows 8 is not any less vulnerable than Windows 7.
However, most security experts are at pains to point out that Windows 8 is certainly not secure enough without the help of a third-party antivirus product. “It’s important that businesses recognise that security built into the operating system isn’t a panacea and it is still critical to practice defence in depth to provide effective protection,” says Lyne.
Ensuring the proper protection shouldn’t be a problem when it comes to Windows 8, says Solling, who points out that Microsoft has enjoyed long relationships with many of the top antivirus vendors over the decades. “The security on a Windows platform has always been closely linked to the products being offered by these vendors. At Help AG, we looked into the issue of third-party antivirus and security solutions, and based on our initial analysis, third-party solutions will operateas good as the native Windows Defender from a performance perspective,” he says.
“I am sure that Windows Defender will have a great impact and market-space in the consumer space, but the enterprise space will continue to be dominated by the big players like Symantec, McAfee and Kaspersky, and all of the smaller antivirus and security players.”
Perhaps, then, as security becomes less of a concern, and firms ready themselves for the next round of system upgrades, Windows 8 should see a more energetic rate of uptake. Indeed, Solling predicts that customers will eventually have to shift to the new platform, if only to keep up with new applications and technologies.
“Windows 8 is a paradigm shift in how Microsoft develops programmes and applications, and how it handles the software ecosystem around Windows,” he says. “This means that, even if customers do not directly adopt Windows 8, they will, at some point, need to adopt at least aspects of the system.”
Lyne, meanwhile, predicts that, alongside the need to adopt new systems, hardware upgrades will push up the demand for Windows 8. “Tablets such as the surface – and equivalent partner versions – are likely to drive adoption as [the platform] offers a very tablet-optimised experience.”
He also warns that security may still be a concern as Windows 8 uptake increases, particularly as new hardware, such as tablets, is taken on board. “Many of these tablets will end up running essentially desktop Windows 8 and being compatible with all the legacy applications. With that legacy support of applications comes legacy support of their security vulnerabilities,” he explains.
The same can be said for a number of other systems, though, so whether security will play a dominant role in companies’ decisions to upgrade still remains to be seen. What seems clear, though, is that Windows 8 provides a better standalone platform for protecting against malware than Windows 7 does, and that security issues have had little to do with the slow uptake of the new operating system.
Unfortunately, Windows Defender in no way provides the all-encompassing protection that businesses need, meaning that antivirus vendors will still be able to cash in, no matter what OS the customer is running on.