A large proportion of police websites lack any form of automatic secure connection, meaning potentially sensitive data is communicated in plain unencrypted text - according to research.
Findings from non-profit body the Centre for Public Safety, revealed that 73% of
websites accessed either lacked a secure connection for visitors or their
implementation was deemed insecure. Only 27% demonstrated the highest "world-class" standard of secure connection, said the report.
Richard Cassidy, UK cyber security evangelist at Alert Logic, comments:
“We're operating in a far more digitally driven world more than ever before with
healthcare, finances and education forcing our children and families to transact
online, in a bid to improve operations whilst driving down cost and complexity. This
is indeed the panacea; the reality however is far from perception.
Far too many web services still fail to implement even the most basic levels of
security capabilities, but it's not entirely the fault of the business or public
sector organisations. Legislation, e-data guidelines and their enforcement, are
still far behind where they need to be. As a result, the fight against the new wave
of highly organised cyber-criminal and hacker groups is fast becoming an
impossibility, as a result of the governments almost glacial propensity to enforce
change in areas where it's most fundamentally required.
We've seen excellent headway in the finance, banking and e-commerce sectors over
the years, with healthcare paying the price for less stringent efforts in terms of
leaked records overall relevant to other industry sectors, but this is now improving
vastly and to far greater effect than ever before. That said however, our national
police, fire & rescue services are now fast becoming a target, as low-hanging-fruit
for relatively younger, less sophisticated attackers, armed with complex, but
easy-to-use automated attack tools, that make light work of poorly patched web
services and poorly secured web facing assets. These organisations are left at the
mercy of internal expertise to make best use of ever decreasing budgets to achieve
the best security practices possible. When it comes to police matters, this is no
trivial matter; e-portals that allow members of the public to report crimes through
online forms, must be mandated to conform to the highest levels of security best
practices in terms of data-in-transit (and at rest) encryption; the repercussions of
an informant being identified or their data being intercepted/stolen as part of an
attack, has implications not only in public confidence, but in the actual criminal
cases they're related to also.
Standards such as HTTPS & HSTS (which enforces an encrypted connection from client
browser to web-server”) have been widely available for some time, both of which
can be easily embedded into web application frameworks, or enforced at security
gateways protecting the web-facing services. Questions have to be raised therefore,
as to why it is acceptable for such a fundamentally critical service can be allowed
to launch without these minimum security standards implemented. For me at least,
this has to point back to legislation and e-data mandate inefficiencies and proves
the point that organisations of all shapes and sizes need to carefully look at their
IT security spending and look to work smarter, not harder, embracing the new wave of
capabilities available to help achieve far better security outcomes, right across
the board”