Large quality variations
They don't seem to make any effort to learn from each other or share 'best practice'. Hasn't it always been like this with the police and all forms of local government service?
An alarming proportion of cops’ websites lack any form of automatic secure connection, meaning sensitive data is potentially communicated in plain unencrypted text – according to research. Findings from non-profit body the Centre for Public Safety revealed that almost one-quarter of police sites lack any automatic secure …
It's not just police with this problem.
There are as many fire services and school departments, with wildly varying degrees of funding and managment ability
Which leads to wildly varying degrees of quality on a county-by-county basis.
The idea of regionalising/nationalising these is nice, but the problem is that it's extremely likely that those who end up running the show will be the incompetent trough-snufflers rather than the ones with decent ability.
"Have they been too busy snooping on us, to eager to spunk millions over 'anti-terrorist' toys to look after their own house?"
Yes, it looks like they're too busy intercepting our mobile phone calls to deal with trivial things like 'data security'...
Test it yourself here: https://www.ssllabs.com/ssltest/
http://www.gov.uk redirects to https and gets A+ which is very good (and a bit of a pleasant surprise) I note they do not even support SSL v3 at all.
Now let's try this: https://securityheaders.io/
Hmmm D - more work needed. To be fair most webmasters are aware of the SSL Labs rating, fewer know about the headers thing.
"interesting sites. my hospitals website scored an F in the header thing"
Many sites do, it is the way of things. Most web server owners concentrate on the SSL rating, hellbent on getting an A or the mystical A+ and are blissfully unaware that things like CSP (which can be hard to do) is even a thing.
Once you've got an A on both the next step is to get things like mod_security up and running. All without breaking your website/webapp and not restricting too much who can even see it! For PCI-DSS (eventually when they remove the relaxation on the standard) compliance you'll be needing to disallow up to and including TLS 1.0 and that wont work on Exchange OWA running on Win 2008R2 - as so many do. Then you'll need something like HA Proxy to do the dirty work.
The fundamental problem with the Police is that they are run by Government. By and large, Government is stupid, deferring to seniority and popularity rather than expertise. Those who make the important decisions are there because they have been in the right place long enough to impress someone senior with even less knowledge.
He said: “It’s 2016. The internet is not new, the cyber security threat is not new, and yet some police forces and their IT providers seem to think it is acceptable to pay large sums of taxpayer money for insecure technology.”
As long as the money gets paid i'm quite sure that the IT provider doesn't care.
I would say it's safe to assume that any changes to the site to make it more secure would need to be paid for by the taxpayer.
Https is just a transport layer.
The website itself needs to be securely setup and the vast majority are trivially subvertable.
The problem with pointing _that_ out is that you end up ruffling the feathers of some self-declared expert who in this case has the power to give you a bad day, instead of being forced to fix it.