Local government warned to trust nobody and sack overzealous cyber security staff

The government's independent cyber security advisory has warned local government IT managers of the need for more intelligent security systems for online public services, telling them to "trust nobody".
Speaking at the Government ICT conference in London, technical director for the National Technical Authority for Information Assurance (CESG) Ian Levy told delegates that firewalls only go so far and that staff trying to install too many security solutions without justification should be sacked.
"More security is not always better: it's got to be proportionate and appropriate security," he said. "If people are telling you to put security in your systems but they can't explain why, sack them. If people are saying ‘Cheltenham [base of CESG] are saying put this security in your system', email me and I'll tell you to sack them."
Levy said that because the scope and risk of serving such a large and unknown customer base is so enormous, security has to match it.
"Trust nothing," he said. "This is fundamentally different to building a corporate system because the people I'm transacting with I have no trust relationship with. They're not my employees, they're not people I can talk to down the pub, it's a bunch of 60 million people out there on the internet who may or may not be who they say they are."
He told system administrators to assume "every single endpoint is infected with the worst possible malware" and that "all users are dumb at some point", adding that the only way of fending off attacks is with business intelligence that understands how users are supposed to behave. "Once a credential is issued, you have to assume it's compromised," he said.
Levy said his team had monitored a botnet for 11 hours in 2013 and spotted over 1,600 compromised Gov.uk transactions being logged, proving that there is a widespread problem with the general public's internet use.
"It's not about usernames and passwords," he continued. "It's not about firewalls, it's about business intelligence. It's about understanding how your business transactions work and the footprints they leave on your service. It's a fundamentally different type of security."
As local government services increasingly head to the web and away from paper-based systems, with central government leading the way with its Gov.uk initiative, protection from fraudulent activity has become ever more important. That, combined with stricter regulations on public sector IT in areas such as stricter BYOD policies, has brought cyber security to the fore in local government.