A new audit out Wednesday revealed significant security weaknesses in information technology systems throughout state government, some that have persisted since 2003.
Legislative auditors found that more than 50% of the agencies examined from 2017 to 2019 did not substantially comply with applicable IT security standards and best practices.
“The state will face significant consequences if hackers are able to access an agency’s network or confidential data because of poor security controls,” auditors warned.
“A significant security breach could disrupt an agency’s mission-critical work and their reputation would be sorely damaged.
“A breach also could require costly customer credit report monitoring and could create legal liabilities or financial penalties for the state,” auditors reported.
Data security for the state is critical given that Kansas collects tax, health, student and other personal information that could put taxpayers at risk if made public.
The audit reported that 11 of the 19 agencies reviewed in the past three years did not substantively comply with applicable security standards.
Auditors reported that state agencies have been continuing to struggle with similar IT security issues since 2003.
They noted that their findings in the current three-year audit released Wednesday were similar to the results from the last three-year report covering 2014 to 2016.
About two-thirds of the agencies — 13 of 20 — reviewed during the 2014-2016 audit did not substantively comply with IT security standards.
Areas of greatest concern listed in the current audit included inadequate scanning and patching processes, security awareness training, data protection as well as incident response and planning for continuity of operations in the event of a security breach.
The audit came almost three years after hackers targeted a data system administered by the Kansas Department of Commerce. They gained access to more than 5 million Social Security numbers belonging to individuals in 10 states.
The audit’s findings alarmed some lawmakers at the Capitol, especially after the data breach in 2017.
“It’s not good,” said Democratic state Rep. Jim Gartner. “It’s really sort of depressing to see that. We need to get a handle on this going forward.”
Republican Sen. Julia Lynn, who chairs the legislative audit committee, expressed a similar view.
“The committee is extremely frustrated that our constituents’ personal information would be open for attack,” Lynn said.
“We already had a breach, and thousands and thousands of Social Security numbers were exposed,” she said.
“Even after that breach, there’s still a lack of action on solving a very serious issue for our state,” she said.
Auditors do not look at the same agencies within each three-year period. However, they have audited several agencies for the second or third time during the past decade.
“Some of these agencies have improved their security posture from one audit to the next, while others had repeat findings,” the auditors stated in their report.
The audit report pinned some of the persisting problems on management inattention and a lack of resources over the years.
“Top management may not set sufficient or consistent expectations or monitor results,” the audit stated.
The audit said in one case IT management at a state agency overestimated the effectiveness of existing controls and underestimated other risks.
At another agency, management relied on its existing controls despite staff turnover.
In other cases, top managers exempted themselves from their own training protocols, were slow to implement security controls or decided to favor business activities over security.
Inadequate security staffing and high turnover within IT divisions “make it difficult to create or maintain a security baseline or retain institutional knowledge,” the audit found.
“Several agencies with notable resource issues had no or few security staff to carry out the work even when those agencies were relatively large and held sensitive data,” the audit said.
Among the security issues detailed in the report:
- Most agencies (79%) did not properly scan or patch their computers to keep them secure.
- Many agencies (63%) did not have an adequate incident response or continuity of operations plan in the event of a network breach. Some agencies had an incident response plan but didn’t test it to make sure it was adequate.
- Most of the agencies (89%) did not adequately encrypt, back up or destroy electronic data.
- Nearly all agencies (95%) lacked at least one important security control, which is intended to limit and track who has access to an agency’s network and data.
- Most agencies (89%) did not provide adequate security awareness training. Employees at one agency, for example, left sensitive documents in a box under their work areas even though secure locked shredding bins were nearby.
The report also reviewed specific IT systems that maintained or processed confidential or sensitive data at 17 of the 19 agencies that were audited.
Auditors found issues with those systems, including poor account security and missing data protection.
The audit said those systems weren’t scanned and patched to keep them secure.
For instance, the system server at one agency had seven critical or high vulnerabilities, one of which was 4 years old.
Auditors found that at one agency, a former employee still had access to the system despite not having worked there for four months.
Another agency had not configured any password settings for the system auditors evaluated.
“Agency IT staff was able to set up a test account with a one-character password,” the audit said.
Last year, Gov. Laura Kelly named Department of Administration Secretary DeAngela Burns-Wallace as the state’s chief information technology officer.
Even as secretary for the Department of Administration, Burns-Wallace now leads the Office of Information Technology Services, which was created under former Gov. Sam Brownback.
In making that announcement, Kelly said the relationship between OITS and the rest of state government had been “challenging” since it was taken out from under the Department of Administration.
The governor said communication between the agency and its customers had been difficult.
Kelly blamed the former governor’s administration for failing to follow up and guide its decision to split information technology from the Department of Administration.
Burns-Wallace “has emphasized throughout her 6 months leading OITS, robust cybersecurity is a critical need for the state of Kansas,” spokesman Samir Arif said.
“Addressing cybersecurity deficiencies and developing a strong cybersecurity posture across state agencies is a priority.”
The audit acknowledge that the state has taken steps to address weaknesses in cyber security. However, it’s not enough, the audit said.
“More needs to be done to create a stronger security posture across state agencies,” the audit said.
