A new report by Utah’s Office of the Legislative Auditor General found that cybersecurity planning and training is lacking across multiple branches of the state government.
The state legislature’s watchdog office conducted an audit of public-sector privacy practices and found that many state agencies have not taken the necessary steps to establish cybersecurity frameworks, including following the industry-standard controls recommended by the Center for Internet Security (CIS).
In addition, the audit found that state agencies have not required employees to undergo routine cyber hygiene training. It also found that across the state government, communications breakdowns exacerbated conditions amid costly incidents.
“Cyberattacks have cost the state of Utah millions of dollars and will continue to do so if cybersecurity measures are not taken. Entities should take proactive steps to identify weaknesses and gaps in their security and use a cybersecurity framework as a guiding policy to address cybersecurity vulnerabilities,” the audit states.
In addition, the audit found that cybersecurity shortfalls were seen primarily in the state legislature, judicial branch, local governments, and Utah’s education sector.
For example, the audit found that the Utah legislature hasn’t adopted a strategic cybersecurity plan based on industry standards, nor does it have an incident response planning document to follow in the event of a cyberattack.
The state’s judicial branch also lacks a strategic plan. According to the report, the state court system’s last cyber plan was published in 2014. The state’s court system has also seen a decline in the number of employees completing required annual cyber hygiene training – from 59 percent in 2020, to 43 percent last year.
Among the recommendations the report makes:
- Entities that lack a cybersecurity framework need to immediately adopt a framework, such as CIS standards;
- Governmental entities that are not satisfactorily compliant with competent cybersecurity standards should prioritize compliance; and
- Entities need to create and maintain an incident response plan.
While some organizations were motivated to make internal changes this only paints a partial picture of cybersecurity across the government in Utah, because just 37 percent out of more than 600 entities across the state responded to the audit office’s survey.
“This low response rate does not allow us to adequately determine the overall risk to the state,” the report reads. “We are concerned that the response rate was low potentially due to the lack of secure cybersecurity networks.”