A new report released by Missouri State Auditor Scott Fitzpatrick emphasizes the need for the state to establish a culture of security that takes cyber threats seriously and teaches employees how to protect state resources. The audit report examined awareness and training efforts for 34 state government entities, including nearly 52,000 state employees. It found a need for improved oversight of awareness training efforts for some entities and the implementation of effective training and phishing testing for others.
“The rapid advance of technology has undoubtedly made it possible for government to operate more efficiently, but it has also brought with it greatly increased risk for data breaches and other hacking efforts that could disrupt essential services. With tens of thousands of our state employees using computers with internet access daily, it is extremely important for the state to make effective security awareness training a key component of its culture,” said Fitzpatrick. “Our audit report makes recommendations that can help the state take additional steps to ensure state employees are trained appropriately and armed with the knowledge they need to avoid scams and phishing attempts. I’m glad to see our recommendations have been well received and the state is working to put them into place.”
The audit report, which primarily examined the fiscal year ended June 30, 2023, reviewed the policies and procedures related to security awareness training for 18 state government entities overseen by the Office of Administration Information Technology Services Division (ITSD), as well as 16 state entities that are structurally independent of the ITSD. For the consolidated entities (CEs) overseen by ITSD, the report found approximately 20 percent of employees did not complete any security awareness training during the test period, despite the ITSD policy requiring all employees who use state-owned systems to complete monthly security awareness training. Furthermore, the lack of training for one-fifth of the employees was not detected because ITSD policy does not require anyone to monitor the completion of security awareness training. Additionally, many of the CEs have employees who were unofficially exempted from training requirements.
The report recommends the ITSD update its security awareness training policy to require oversight procedures for CE security awareness training to ensure required training is being completed and clarify whether CEs are allowed to exempt certain employees from training requirements. ITSD has agreed with the recommendation and is working to implement the changes.
For the non-consolidated entities (NCEs) not overseen by ITSD, the report found four of the 16 entities do not provide or obtain ongoing security awareness training for their employees. In addition, nine of the 16 NCEs do not perform or obtain phishing testing on their employees. The four NCEs that do not provide security awareness training to their employees are also included in the nine entities that do not conduct phishing testing. As a result of these weaknesses, state resources such as data, systems, and monetary funds are at increased risk of loss or exposure. The report recommends the NCEs not performing training should consider the ITSD’s security awareness training policy and phishing testing efforts and establish policies and procedures to ensure training and testing are completed regularly for their employees. Furthermore, NCEs not currently providing security training or phishing testing should consider using ITSD as a resource to implement such procedures.
The complete report can be found here.
