Compliance: Mississippi State Agencies Have a Long Way to GoAudit Finds Agencies Not Following State's Cybersecurity Law
The personal data of Mississippi citizens is susceptible to breaches because many state agencies, universities and other organizations are failing to comply with all the mandates of the state's cybersecurity law, according to a report issued by the Office of the State Auditor.
The audit found that many agencies were not in full compliance with the Mississippi Enterprise Security Program. The state law passed in 2017, which codified the guidelines in the state's security program, requires the implementation and maintenance of security policies and standards by any organization or agency that relies on Mississippi's state IT network.
The recently release auditor's report notes that of the 125 organizations asked to participate in a survey, 54 did not respond to requests for information. Of the 71 state agencies and organizations that did respond, over half were less than 75 percent compliant with the enterprise security program.
"The results of the survey show that Mississippians' personal data may be at risk," the report states. "Many state agencies are operating as if they are not required to comply with cybersecurity laws, and many refused to respond to auditors' questions about their compliance."
Shad White, the Mississippi state auditor, told Government Technology that he hopes the report will create greater awareness of the state's cybersecurity law and push lawmakers and citizens to demand that these guidelines are followed.
"The real point of going out in the public and talking about this is to create some sort of momentum that pushes people to call their legislator or call their agency and make sure that they're protecting their data. And I think that we're getting that momentum," White says.
State of Affairs
Auditors found that 11 of the organizations participating in the survey did not have a security or disaster recovery plan in place to help mitigate cybersecurity risk, respond to vulnerabilities in IT systems and software, or offer guidance on how to report an incident. Such a plan is required under the state law.
In addition, some 22 agencies failed to run regular security risk assessments as required, the audit shows
In another major security flaw, the audit notes nearly 38 percent of respondents failed to encrypt sensitive information.
In its conclusion, the audit recommends that state agencies that are not in full compliance do more to improve their overall cybersecurity, following the example of more compliant agencies. For instance, the office of the state auditor worked with the U.S. Department of Homeland Security to conduct penetration testing of its systems.
Agencies also need to train their workers to spot phishing emails as well as other types of attacks, the report stresses. "Finally, state leaders should continue to collaborate and share cybersecurity best practices both between state agencies and with local governments," the report adds.
Over the last several months, the security efforts of government agencies have been in the spotlight as more have become victims of cyberattacks. A report released earlier this month found that nearly 70 state and local governments had sustained a ransomware attack in the first nine months of this year (see: Just How Widespread Is Ransomware Epidemic?).
In 2018, voting data for Mississippi citizens was posted for sale online along with personal information from residents of other states (see: US Voter Records for Sale on Hacker Forum).
Congress is considering a bill that would require the Department of Homeland Security to provide additional resources and assistance for local and state agencies hit by ransomware (see: Bill Calling for DHS Cyber Incident Mitigation Teams Advances).
Issues of Legacy Systems
Many state agencies rely on older systems and software that have not been updated as cyberthreats have evolved, says Chris Pierson, CEO of the cybersecurity company BlackCloak.
In many cases, state funding to improve these security systems is inadequate, Pierson says.
"While many states have improved or enhanced consumer laws, state regulations and rules, the funding to accomplish the goals has not followed," Pierson tells Information Security Media Group. "States have a patchwork quilt of legacy servers, machines and environments -some of which cannot be patched - and lack the budget to ... accomplish [security] tasks in a timely risk-based manner. The results of the Mississippi audit are not surprising, and I would expect a lot of other states to be in the same position."
Managing Editor Scott Ferguson contributed to this report.