Some Missouri state employees aren’t doing their cyber training, audit finds

An audit of 34 agencies by Missouri State Auditor Scott Fitzpatrick found that 20% of employees didn't do their required cybersecurity training.
office workers at meeting table
(Getty Images)

A report published this week by Missouri State Auditor Scott Fitzpatrick found that cybersecurity training is not being consistently implemented across state agencies, reflecting an office culture that does not take cybersecurity threats seriously.

The report examined cybersecurity awareness and training efforts for 34 agencies that staff more than 50,000 state employees. It identified weaknesses in policies and procedures related to security awareness training, a lack of oversight in training efforts and a need to implement training and phishing testing.

“Security incidents can often be traced to a user error, such as clicking on a link in a malicious email, or sharing account credentials with bad actors,” the report read. “It is important for the state to establish a security culture that takes threats seriously and teaches employees how to protect state resources.”

The Office of Administration’s Information Technology Services Division requires all employees who use state-owned systems to complete monthly security awareness training. However the audit’s review of state employee training data showed that 20% of employees did not complete any security awareness training during the audit’s six-month testing period between Jan. 30 and June 30, 2023.


“As a result, state resources such as data, systems and/or funds are at increased risk of exposure or loss,” the report read.

Auditors noted that their assessment and recommendations apply to state agencies that aren’t governed by the state technology department, but whose employees are still required to complete monthly security awareness training.

“We will assess whether enhancements to existing policies or adding new policies is appropriate,” John Laurent, Missouri’s acting state chief information officer, said in response to the audit. “We will also address oversight and variance for cybersecurity awareness training.”

The technology department also noted in its response that it can’t force agencies not under its purview to complete training, but that they’re welcome to use its training resources.

The audit follows a cyberattack last month on a Kansas City traffic management system. State and local governments are increasingly becoming targets for ransomware and other cyberattacks that sometimes can lead to data breaches or down computer systems for months.

Sophia Fox-Sowell

Written by Sophia Fox-Sowell

Sophia Fox-Sowell reports on artificial intelligence, cybersecurity and government regulation for StateScoop. She was previously a multimedia producer for CNET, where her coverage focused on private sector innovation in food production, climate change and space through podcasts and video content. She earned her bachelor’s in anthropology at Wagner College and master’s in media innovation from Northeastern University.

Latest Podcasts