Missouri state audit reveals need for improved cyber security training
A new report by Missouri State Auditor Scott Fitzpatrick says there needs to be increased cybersecurity awareness and training for state employees.On Monday, Fitzpatrick released a report emphasizing the need for the state to cultivate a security-conscious culture that addresses cyber threats and instructs employees on how to protect state resources.”The rapid advance of technology has undoubtedly made it possible for government to operate more efficiently, but has also brought with it greatly increased risk for data breaches and other hacking efforts that could disrupt essential services,” Fitzpatrick said. “With tens of thousands of our state employees using computers with internet access on a daily basis, it is extremely important for the state to make effective security awareness training a key component of its culture.”The audit report, focused on the fiscal year ending June 30, 2023, scrutinized the policies and procedures related to security awareness training for 18 state government entities overseen by the Office of Administration Information Technology Services Division (ITSD) and 16 state entities that operate independently of the ITSD.The report found that approximately 20% of employees did not complete any security awareness training during the test period, despite ITSD policy requiring all employees who use state-owned systems to complete monthly security awareness training.The report recommends that the ITSD update its security awareness training policy to require oversight procedures for CE security awareness training to ensure that required training is being completed.It also suggests clarifying whether CEs can exempt certain employees from training requirements.
A new report by Missouri State Auditor Scott Fitzpatrick says there needs to be increased cybersecurity awareness and training for state employees.
On Monday, Fitzpatrick released a report emphasizing the need for the state to cultivate a security-conscious culture that addresses cyber threats and instructs employees on how to protect state resources.
“The rapid advance of technology has undoubtedly made it possible for government to operate more efficiently, but has also brought with it greatly increased risk for data breaches and other hacking efforts that could disrupt essential services,” Fitzpatrick said. “With tens of thousands of our state employees using computers with internet access on a daily basis, it is extremely important for the state to make effective security awareness training a key component of its culture.”
The audit report, focused on the fiscal year ending June 30, 2023, scrutinized the policies and procedures related to security awareness training for 18 state government entities overseen by the Office of Administration Information Technology Services Division (ITSD) and 16 state entities that operate independently of the ITSD.
The report found that approximately 20% of employees did not complete any security awareness training during the test period, despite ITSD policy requiring all employees who use state-owned systems to complete monthly security awareness training.
The report recommends that the ITSD update its security awareness training policy to require oversight procedures for CE security awareness training to ensure that required training is being completed.
It also suggests clarifying whether CEs can exempt certain employees from training requirements.
