05/13/2024 - Jefferson City, MO
A new report
released today by Missouri State Auditor Scott Fitzpatrick emphasizes the need for the state to establish a culture of
security that takes cyber threats seriously and teaches employees how to
protect state resources. The audit report looked at awareness and training
efforts for 34 state government entities that include nearly 52,000 state
employees and found both a need for improved oversight for awareness training
efforts for some entities, and the need to implement effective training and phishing
testing for others.
"The
rapid advance of technology has undoubtedly made it possible for government to
operate more efficiently, but has also brought with it greatly increased risk
for data breaches and other hacking efforts that could disrupt essential
services. With tens of thousands of our state employees using computers with
internet access on a daily basis, it is extremely important for the state to make
effective security awareness training a key component of its culture,"
said Fitzpatrick. "Our audit report makes recommendations that can help
the state take additional steps to ensure state employees are trained
appropriately and armed with the knowledge they need to avoid scams and
phishing attempts. I'm glad to see our recommendations have been well received
and the state is working to put them into place."
The
audit report, which primarily looked at the fiscal year ended June 30, 2023,
examined the policies and procedures related to security awareness
training for 18 state government entities that are
overseen by, the Office of Administration Information Technology
Services Division (ITSD), as well as 16 state entities that are structurally
independent of the ITSD. For the consolidated entities (CEs) overseen by ITSD,
the report found approximately 20 percent of employees did not complete any
security awareness training during the test period despite the fact ITSD policy
requires all employees who use state-owned systems to complete monthly security
awareness training. Furthermore, the lack of training for one-fifth of the
employees was not detected because ITSD policy does not require anyone to
monitor the completion of security awareness training. Additionally, many of
the CEs have employees who were unofficially exempted from training
requirements.
The report recommends the ITSD update its security awareness
training policy to require oversight procedures for CE security awareness
training to ensure required trainings are being completed, and clarify whether
CEs are allowed to exempt certain employees from training requirements. ITSD
has agreed with the recommendation and is working to implement the changes.
For
the non-consolidated entities (NCEs) not overseen by ITSD, the report found 4
of the 16 entities do not provide or obtain ongoing security awareness training
for their employees. In addition, 9 of 16 NCEs do not perform or obtain
phishing testing on their employees. The 4 NCEs that do not provide security
awareness training to their employees are also included in the 9 entities that do
not do phishing testing. As a result of these weaknesses, state resources such
as data, systems, and/or monetary funds are at increased risk of loss or
exposure. The report recommends the NCEs not performing training should
consider the ITSD's security awareness training policy and phishing testing
efforts and establish policies and procedures to ensure training and testing
are completed regularly for their employees. Furthermore, NCEs not currently
providing security training or phishing testing should consider using ITSD as a
resource to implement such procedures.
The complete report can be found here.