Topeka Kansas doesn’t do enough to secure computer systems used by its state government, making confidential information vulnerable to hackers, a legislative audit said Thursday.
Auditors said their review of practices, computer systems and employee training at nine state agencies showed significant security weaknesses. Their report, presented to legislators, said none of the agencies had done a comprehensive assessment of computer security risks, and auditors were able to crack a significant number of employee passwords at six of them.
The audit said the agencies were reviewed because of the amount of confidential information in their electronic files, including Social Security numbers, data from tax returns and data identifying individuals. The report also said the state provides only limited oversight of agencies’ security controls.
“Some agencies are responsible for protecting millions of confidential records, which makes them a potentially enticing target for hackers,” the audit said.
The public report did not identify specific problems at individual agencies. The 10-member legislative committee that oversees the Legislative Division of Post Audit’s work had a closed session to review confidential reports on each agency, however.
The agencies reviewed included the departments of Commerce, Corrections, Education, Labor and Revenue. The list also included the state treasurer’s office, Juvenile Justice Authority, Board of Indigents’ Defense Services and Department of Wildlife, Parks and Tourism.
“Most agencies’ IT security controls we reviewed were not strong enough to help ensure that confidential information was adequately protected,” the auditors said in their public report.
In a response to the audit, John Byers, the executive branch’s chief computer security official, said decentralization of state computer systems has contributed to security problems and his office is working to address such issues. Gov. Sam Brownback’s administration now has one office overseeing management of all executive branch computer systems.
Revenue Secretary Nick Jordan said in his formal response that his agency has addressed some of the issues raised in the report and “has a solid plan to address all within 6 months.”
Sen. Mary Pilcher-Cook, a Shawnee Republican and chairwoman of the audit committee, said Brownback’s administration is working to address the issues raised in the report. Committee member Terry Bruce, a Hutchinson Republican and the incoming Senate majority leader, said the report changed some officials’ attitudes toward security issues.
“There were some who, they just never took it seriously,” Bruce said, declining to be more specific after the closed meeting. “They’re now correcting that.”
Audit committee member and Rep. John Grange, an El Dorado Republican, acknowledged that agencies probably can and should improve computer security. But he questioned whether the audit overstated the danger, saying the state has yet to see major security problems.
“What does the finding mean?” he said during a break in the committee’s closed meeting. “Does it have any impact on operations?”
The audit said seven of the agencies that were reviewed didn’t force employees to change passwords frequently enough, without recycling passwords. Eight of the nine used weak encryption to store passwords, and four didn’t have settings to lock computer users out after failed attempts to log in.
In addition, one unnamed agency improperly told its staff that it was OK to share their passwords with information technology staff, and another directed employees to give their passwords to supervisors and IT staff.
The agencies also generally did an inadequate job of patching software, and seven of the nine didn’t provide strong enough security training, the auditors said.
“Even agencies that provided regular security training had staff who did not fully understand several critical IT security risks,” the report said.