Details released to SC through the Freedom of Information Act (FoIA) revealed at least four major government departments and a public body, including the Department of Health (DOH), the Department for Trade and Industry (DTI) and the Ministry of Defence (MoD), do not have even basic intrusion prevention (IDP) and detection (IDS) systems protecting their networks. This is despite the fact that the DTI's own best practice guidelines, published online, recommend IDS, both to secure networks and aid regulatory compliance.
"If I was being at my most charitable I'd say it was naïve. At the other end of the scale, it's tantamount to incompetence," said Mike Davis, senior research analyst at the Butler Group. "If I were protecting my network, intrusion detection would be the first thing on the list."
The Audit Commission (an independent public operation), the DoH, DTI, and the MoD all admitted they have no current detection systems in place. Other departments, including the Crown Prosecution Service, the NHS, and the Foreign and Commonwealth Office, refused to reveal details of their network security.
A DTI spokesman claimed the department was reviewing its own IDS policy.
"Two years ago we looked at the situation and decided against it. The market is more mature now and we've advised our IT suppliers, Fujitsu, to look into a solution. But this is at a very early stage," he said.
The revelation raises concerns about compliance with BS7799, the requisite security standard for all public bodies.
"Best practise, including BS7799, requires risk assessment and a strategy to mitigate against that risk," said Emlyn Everitt, senior security consultant at systems management company Logicalis. "I have not seen anything [in public bodies] to suggest a real understanding of the [network intrusion] problem."
John Pringle, CLAS consultant at consultants Bolden James believes BS7799 can be met without intrusion detection systems, but it is difficult.
"It's a combination of risk and countermeasures, you've got to assess the quality of other systems too, measure how good your firewalls are," he said. "But I would be surprised if any large enterprise or government body did not have intrusion detection."
The news arrives days after a Californian medical group notified 185,000 patients that their personal data had been stolen. "I've just been writing that the San Jose incident should never happen again, unfortunately it will," said Davis.