Cybersecurity planning and training is lacking across multiple branches of government in Utah, according to a report published this week by the state legislature’s watchdog office.
The Office of the Legislative Auditor General’s performance audit of public-sector privacy practices found that many agencies have not taken steps to establish cybersecurity frameworks — such as following the industry-standard controls recommended by the Center for Internet Security — or require employees to undergo routine cyber hygiene training. The shortfalls occurred across the state legislature, judicial branch, local governments and Utah’s education sector, the audit found.
In assessing statewide cybersecurity, auditors found that across government, communications breakdowns exacerbated conditions amid costly incidents.
“One of the central themes of this report is the breakdown of communication between IT staff and administration about the associated risks of cybersecurity,” the report read. “Entities we interviewed that had experienced a cyberattack reportedly paid anywhere from hundreds of thousands of dollars upward to over a million dollars as a result of the attack.”
While the report found many organizations that endured attacks were motivated to make internal changes, it only paints a partial picture of public-sector cybersecurity across Utah, with just 37% out of more than 600 entities returning the audit office’s survey.
“This low response rate does not allow us to adequately determine the overall risk to the state,” the report reads. “We are concerned that the response rate was low potentially due to the lack of secure cybersecurity networks.”
Of the responses from local governments, 75% of school districts reported having adopted a cyber framework, as did 56% of county governments. But only 39% of towns and cities said they had. Implementing a framework — like the CIS controls — the audit continued, would go a long way toward closing some of those communications gaps between IT staff and top leaders.
“By using a framework, IT staff can formulate a roadmap based on areas that could improve and present the risks and possible safeguards to those who oversee their operation and together determine the best path forward,” the report reads.
At the state level, auditors found similar shortcomings to their limited view of local entities. The Utah Legislature also hasn’t adopted a strategic cybersecurity plan based on industry standards, nor does it have an incident response planning document to follow in the event of a cyberattack.
The legislature’s IT office only recently set up a cybersecurity division, the audit notes, having previously contracted with the executive branch’s Division of Technology Services. That division, which serves statewide agencies, has established cyber plans, modeled on standards established by the National Institute of Standards and Technology, another industry-leading framework.
The legislative IT office only has a nominal, one-page cyber policy filled out with “minimal detail,” the audit read. Auditors found there are other models, though, such as the strategic plans used by Montana’s legislature and the executive branches of Utah and several other states.
“A cybersecurity strategic plan is a document that outlines an organization’s vision, mission, goals, and objectives for managing cyber threats,” the audit reads. “It is a long-term plan that provides guidance and direction for an organization’s decision-making and resource allocation over a period of several years. … Having a cybersecurity strategic plan will reduce risk and build resilience to cyber and physical threats to LegIT’s infrastructure. LegIT recently wrote a cybersecurity policy, but it lacks the necessary elements to be effective. Other organizations’ policies are much more sophisticated.”
The audit also knocked the Utah judiciary for lacking a strategic plan. The state court system’s last cyber plan was published in 2014. It’s also seen a steep decline in the number of employees completing a required annual cyber hygiene training, from a peak of 59% in 2020 to 43% last year.
The drop-off in cyber hygiene was also evident in the executive branch, which otherwise scored higher marks for strategic plan maturity and compliance with CIS controls and NIST standards. One unnamed agency that reported near-100% compliance with employee cyber training in 2020 had fallen to about 70% in 2022, the audit found.
“DTS needs to work with the agencies of the executive branch to ensure that all employees complete the annual cybersecurity awareness training,” the audit report read.