Monday, May 13, 2024

Audit report: State employees need more training on cybersecurity

(From State Auditor Scott Fitzpatrick)

A new report released today by Missouri State Auditor Scott Fitzpatrick emphasizes the need for the state to establish a culture of security that takes cyber threats seriously and teaches employees how to protect state resources. 

The audit report looked at awareness and training efforts for 34 state government entities that include nearly 52,000 state employees and found both a need for improved oversight for awareness training efforts for some entities, and the need to implement effective training and phishing testing for others.

"The rapid advance of technology has undoubtedly made it possible for government to operate more efficiently, but has also brought with it greatly increased risk for data breaches and other hacking efforts that could disrupt essential services. With tens of thousands of our state employees using computers with internet access on a daily basis, it is extremely important for the state to make effective security awareness training a key component of its culture," said Fitzpatrick. "Our audit report makes recommendations that can help the state take additional steps to ensure state employees are trained appropriately and armed with the knowledge they need to avoid scams and phishing attempts. I'm glad to see our recommendations have been well received and the state is working to put them into place."

The audit report, which primarily looked at the fiscal year ended June 30, 2023, examined the policies and procedures related to security awareness training for 18 state government entities that are overseen by, the Office of Administration Information Technology Services Division (ITSD), as well as 16 state entities that are structurally independent of the ITSD. 

For the consolidated entities (CEs) overseen by ITSD, the report found approximately 20 percent of employees did not complete any security awareness training during the test period despite the fact ITSD policy requires all employees who use state-owned systems to complete monthly security awareness training. 

Furthermore, the lack of training for one-fifth of the employees was not detected because ITSD policy does not require anyone to monitor the completion of security awareness training. Additionally, many of the CEs have employees who were unofficially exempted from training requirements.

The report recommends the ITSD update its security awareness training policy to require oversight procedures for CE security awareness training to ensure required trainings are being completed, and clarify whether CEs are allowed to exempt certain employees from training requirements. ITSD has agreed with the recommendation and is working to implement the changes.

For the non-consolidated entities (NCEs) not overseen by ITSD, the report found 4 of the 16 entities do not provide or obtain ongoing security awareness training for their employees. In addition, 9 of 16 NCEs do not perform or obtain phishing testing on their employees. The 4 NCEs that do not provide security awareness training to their employees are also included in the 9 entities that do not do phishing testing. As a result of these weaknesses, state resources such as data, systems, and/or monetary funds are at increased risk of loss or exposure. The report recommends the NCEs not performing training should consider the ITSD's security awareness training policy and phishing testing efforts and establish policies and procedures to ensure training and testing are completed regularly for their employees. Furthermore, NCEs not currently providing security training or phishing testing should consider using ITSD as a resource to implement such procedures.

The complete report can be found here.

No comments: