The Performance Audit of the Cybersecurity in the State of Utah, released this week, examined cyber practices among state agencies, local government and some educational entities to assess their cyber postures and gaps. Engagement with the auditing teams’ survey of local government and education organizations was lackluster — only 37 percent of those queried responded — but the data that was received, and the OLAG’s examination of state agency approaches, found several key areas to improve.
The report urged entities to create incident response plans and deepen their compliance with cybersecurity best practices. In particular, these include improving communication between IT leaders and administrative leaders, enforcing cyber awareness training for all employees and better complying with the Center for Internet Security (CIS) Controls, a set of prioritized best practices intended to help guard against common cyber threats.
The report release follows on the heels of new cybersecurity legislation in the state. That legislation went into effect on May 3 and requires government entities to report system security breaches to the Utah Cyber Center. It also directs the center to develop a statewide strategic cybersecurity plan as well as incident response plans coordinating activities across levels of government and with the private sector.
STATE BRANCHES
The Legislature Needs More Planning
The state Legislature’s IT team should look to improve compliance with CIS Controls and create key planning documents.
For one, the Legislative Information Technology Office needs a cybersecurity strategic plan — which would put it on par with neighboring states like Nevada, Oregon and Washington. Such a document would be informed by analysis of the organization’s current cyber posture. It would outline specific, long-term goals for improving and would help guide decision-making and resource designation to meet those aims over multiple years.
Also missing: an incident response plan to direct actions in the immediate discovery of a potential cyber incident. Such a plan is important to quicker response and recovery.
And while the legislative branch does have a cybersecurity policy, this “lacks the necessary elements to be effective” and should be more detailed. A policy is intended to “enforce security standards and procedures to protect computer systems, prevent security breaches, and safeguard private networks,” per the report.
Judicial and Executive Branches Must Raise Awareness
The judicial branch is in better shape, with a cybersecurity strategic plan already written. But this document hasn’t been updated since 2014 and needs a refresh, the OLAG found. Plus, several of its security policies have been stuck in draft mode since 2018-2019 and should be finalized.
Social engineering is currently a major driver of cyber attacks, and both the judicial branch and executive branch should push for employees to complete cybersecurity awareness trainings at least annually. Utah legislators are currently considering legally mandating all state employees to undergo such training. Enforcement would be an important element, too — currently the judicial branch does require employees to undergo annual cybersecurity awareness trainings, but none of the past five years saw more than 59 percent of staff comply.
EDUCATION & LOCAL GOVT
The auditing team attempted to survey 620 entities, including counties, cities, towns, applied technical colleges, service districts and school districts about their cyber practices. But only 223 recipients — 37 percent — responded, making it difficult to fully capture the statewide cyber posture.
Still, what responses did come in showed areas to target for improvement, with only 57 percent of survey-takers having adopted a cybersecurity framework and only 56 percent requiring annual cybersecurity awareness training, for example. The report urged organizations to require that all staff — not just IT — participate in cyber awareness training and to scan their systems for vulnerabilities at least every quarter.
Plus, many entities throughout the state need to improve how cybersecurity experts and management communicate over risks and security postures. Jargon, different levels of technical knowledge and communication style hurdles can all lead to confusion.
But clear documentation can help get everyone on the same page. State entities can better understand their cyber postures if they first conduct or secure assessments showing how well the organization complies with widely accepted security standards, for example. Creating a road map for improving compliance with those standards can then clarify next steps.
Road maps should include timelines and funding needs as well as designate responsible individuals.
