(The Center Square) – State government needs to create a culture that takes cybersecurity seriously and trains employees how to protect information, according to a report by Republican Missouri Auditor Scott Fitzpatrick.
The audit reviewed cybersecurity awareness and training for 34 government entities and approximately 52,000 state employees during the fiscal year ending June 30, 2023. Policies and procedures of the 18 agencies overseen by the Office of Administration’s Information Technology Services Division were reviewed along with 16 agencies independent of the IT services.
Even though policy requires all employees who use state-owned systems to complete monthly security awareness training, the 14-page audit found approximately 20% of employees didn’t complete any security awareness training during the test period. It also found many employees were unofficially exempt from training requirements.
The lack of training for the employees wasn’t detected as policy doesn’t require anyone to monitor the completion of security awareness training, according to the audit.
“The rapid advance of technology has undoubtedly made it possible for government to operate more efficiently, but has also brought with it greatly increased risk for data breaches and other hacking efforts that could disrupt essential services,” Fitzpatrick said in a statement announcing the report. “With tens of thousands of our state employees using computers with internet access on a daily basis, it is extremely important for the state to make effective security awareness training a key component of its culture.”
Last month, Jackson County closed its assessment and collection offices and the recorder of deeds due to a possible ransomware attack. Last year, the Missouri Department of Social Services encouraged Missourians engaged with the department to monitor their identity and credit information after a possible nationwide third-party cyber attack.
When the St. Louis Post-Dispatch communicated a security vulnerability with the Department of Elementary and Secondary Education’s website, Republican Gov. Mike Parson notified the Cole County prosecutor, ordered the Missouri State Highway Patrol to investigate and said the situation would cost taxpayers $50 million. No charges were filed and the education department spent $800,000 for credit monitoring.
Three years ago, the Missouri legislature passed a law to enhance a nine-member cybersecurity commission, operated under the Department of Public Safety and with its members appointed by the governor.
Approximately 19 years ago, the state formed the Information Technology Services Division within the Office of Administration to consolidate staff and funding. The division serves most executive branch offices, including security training.
Missouri agencies without consolidated information technology systems are independent of the division and maintain their own departments for operations, including security training. The overall structure and distinct roles of the division and consolidated and non-consolidated government agencies present challenges to achieving statewide security awareness, according to the audit.
“Our audit report makes recommendations that can help the state take additional steps to ensure state employees are trained appropriately and armed with the knowledge they need to avoid scams and phishing attempts,” Fitzpatrick said. “I’m glad to see our recommendations have been well received and the state is working to put them into place.”
