More than half of the state agencies in Kansas to undergo recent audits failed to comply with security standards and best practices.
A report released Wednesday by the Kansas Legislative Division of Post Audit shows that 11 of 19 audited agencies — including major departments such as the University of Kansas system, the Department for Children and Families, the Department of Education and the Kansas Secretary of State — fell short across a variety of standards required by state statute.
The report, which looked at agency performance from 2017 through 2019, found that 79 percent of agencies failed to scan or patch their computers to ensure the most recent security protections, which is widely considered one of the simplest and most effective ways to deter security threats.
Sixty-three percent of Kansas agencies did not have adequate incident-response or continuity of service plans. Eighty-nine percent did not provide adequate security-awareness training or failed the auditor’s social-engineering tests. And 89 percent said they did not encrypt, back up or destroy electronic data.
Auditors cited “a lack of proper top management attention” and “inadequate resources” as the most common causes for compliance failure. The office also issued a warning.
“The state will face significant consequences if hackers are able to access an agency’s network or confidential data because of poor security controls,” the report says. “A significant security breach could disrupt an agency’s mission-critical work and their reputation would be sorely damaged. A breach also could require costly customer credit report monitoring and could create legal liabilities or financial penalties for the state.”
Other widespread weaknesses identified by the report included failure of agencies to protect their network boundaries, having poor access or environmental controls in state data centers and various policy or management weaknesses. Ninety-five percent of agencies audited were found to lack at least one critical account-security control.
Auditors didn’t make any recommendations in the report, noting instead that they’d been working directly with individual departments to fix the problems as they were discovered. Agencies subsequently began working on solutions to “most findings,” the report says.
Republican State Sen. Julia Lynn is among the lawmakers who have been making noise about the state’s continual cybersecurity shortfalls in recent months. She’s called the compliance violations “very serious” and said lawmakers and the public won’t tolerate it much longer, The Topeka Capital-Journal reported.
For agencies that were audited in 2019, the auditor’s office will follow up to see what progress has been made this fall.
Many state technology leaders say securing their systems against cyberattacks and enforcing standardized approaches across agencies is a challenge given the size of their organizations and variety of legacy infrastructure they manage. For the last two years, California’s technology agency has been developing new tools and processes to measure the relative maturity of each state agency’s cybersecurity posture. Maturity metrics, said former California Chief Information Security Officer Peter Liebert, will allow his office to prioritize which state agencies have the greatest need to be supported.