Not enough agencies are compliant with cybersecurity laws, audit finds

An “alarming” number of US state agencies are failing to comply with the correct cyber security protocols, a recent report has revealed.

In the audit conducted by the office of the state auditor of Mississippi,  it was discovered that numerous universities, state agencies, commissions and boards aren’t obeying recently introduced cybersecurity laws.

Why new laws?

The protocol was introduced in 2018 with the aim of pushing for higher levels of online protection and building connections with defence and cybersecurity agencies. It is known as the Mississippi Enterprise Security Program.

As part of the survey, it was found that over half of the respondents are less than 75% compliant with the state’s cyber laws. Over one tenth of agencies do not have enough procedure in place to respond to a cybersecurity incident and shockingly, 38% of respondents who work with sensitive data such as tax, healthcare and student data, do not have first level encryption.

Cybersecurity awareness month

“This survey represents some excellent but alarming work by the data services division in the auditor’s office,” said Auditor Shad White.

White added: “October is cybersecurity awareness month, and we should start this month by acknowledging the very real weaknesses in our state government system. I personally have seen screenshots of other states’ private data on the dark web, and we do not need Mississippians’ personal information leaking out in the same way. The time to act to prevent hacking is now.”

Not just an issue for the US

Discussing the recent discovery, Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, has commented that this problem is much bigger than most people realise. He says: “Sadly, most of the governmental agencies in the US and Europe are similarly underprotected. The government usually lacks financial resources and is unable to effectively compete on the market for cybersecurity talents. Moreover, purchasing and procurement processes are usually quite complicated and slow, exacerbating the situation. Hierarchy is likewise complicated, obscuring accountability and responsibility for cybersecurity.”

Kolochenko added, “Cybercriminals widely regard government as a low-hanging fruit, running targeted attacks and ransomware campaigns against it. Worse, most of the data-theft attacks are sophisticated enough to never get detected and reported, differently from quite “noisy” ransomware incidents.”

The CEO suggests that in order for governments to survive in a digital environment is to simplify internal processes, increase budgets and implement continuous security monitoring.



Related Posts