A new report from the Washington state auditor said that state agencies need to improve compliance with security standards to better guard against cyber attack, based on a sampling of agency practices.
The audit, completed by Washington State Auditor Troy Kelley’s office, looked at five state agencies over the course of several months and found close to 350 instances (of 1,035 components tested) where the agencies were not in full compliance with security protocols.
“We’re not specifically concerned only with those five agencies,” Kelley told the Seattle Times. “We thought they were indicative of state government across the board.”
The audit did not identify the agencies nor did the findings detail where the weaknesses were detected out of concern that hackers could use the information to attack the state. All of the agencies have either fixed, or are working to working to fix the issues, according to the audit.
The auditor’s office said the areas that had the highest noncompliance risk involved application security, data security and operations management.
They also ran application security tests to assess whether applications and their underlying infrastructure were vulnerable to attack and found 46 issues at the five agencies, seven of which were deemed a critical risk, meaning that the effect would be wide and “almost certain to be exploited.”
The audit’s recommendations include having the state’s chief information officer revise the state’s security standards, and evaluating and revising current processes used for agencies to report the status of their compliance yearly.
Also Monday, state Rep. Zack Hudgins, a Democrat, said he is drafting a package of bills to address cybersecurity issues. The 105-day legislative session begins Jan. 12.
Cybersecurity issues have grown in importance in the state government technology community over recent years. In its annual list of the top 10 priorities for state CIOs put together by the National Association of State Chief Information Officers, cybersecurity has ranked No. 1 for the past two years. This comes after the issue ranked in the top 10 – but not near the top – for several years before that.
The issue has grown in importance as a handful of states have faced very public cybersecurity issues. South Carolina and Utah suffered major breaches in recent years that have taken the issue beyond their technology departments and into their governor’s offices.
Just a few months ago, West Virginia was forced to take a number of its state government computers offline following a cyber breach and earlier this year Oregon’s Secretary of State office was forced to take its site offline following a breach.