For many states, governmentwide cybersecurity protocols are relatively new developments — a response to the rise in frequency of attacks on public entities. Still, as safeguards they are increasingly necessary, making compliance vital.
A first-ever cybersecurity audit of Mississippi showed that a considerable percentage of the state's agencies regularly failed to comply with its cybersecurity protocols.
Those protocols, codified in its Mississippi Enterprise Security program, were developed years ago and supported by a law passed in 2017, which established a basis for cooperation between agencies on issues of cybersecurity and defense.
The results of the audit, which were released this week by the Office of the State Auditor Shad White, showed that many "entities are operating like state and federal cybersecurity laws do not apply to them."
According to the audit, at least 54 of the entities that White's office reached out to simply chose not to respond. Of the responding agencies, 38 percent did not report encrypting sensitive information, as is required by state policy. Twenty-two of the 71 reporting agencies said that they had not conducted a third-party Security Risk Assessment. Eleven revealed that they did not even have a security policy plan or a disaster recovery plan in case of a cyberincident.
The end result of the audit, according to the report, is that over half of the respondents were less than 75 percent compliant with state law.
Mississippi has seen a handful of cyberattacks targeting public entities in the last several years, including ransomware attacks and data breaches at a state university, school district, and a sheriff's department, among others, according to SecuLore Solutions. For agencies to dismiss these concerns is to open themselves up to unnecessary risk, said White, in an interview with Government Technology.
"Out in the public, the reaction I have heard [about these results] is concern — because people read in the newspaper about Baltimore, and places in Texas and Florida and Georgia and ransomware and that sort of thing, and people get worried," he said.
Among state employees, meanwhile, White said reactions have ranged from a desire to do better to consternation that the office would publicize its findings.
"The real point of going out in the public and talking about this is to create some sort of momentum that pushes people to call their legislator or call their agency and make sure that they're protecting their data. And I think that we're getting that momentum," he said.
Much of the lack of compliance seems to be driven by complacency rather than expense, White said.
"We very rarely have heard 'Well, we just don't have the money to do that.' What we have gathered is that there is more an attitude of 'Oh, I didn't know we had to do that,' he said. "That's my guess as to why there's not more compliance."
State CIO Craig Orgeron said in an email that he felt the audit could contribute to improvements made throughout the state.
"As noted by the National Association of State Chief Information Officers (NASCIO), one of the most significant priorities of a state chief information officer (CIO) is to reduce risk to their state,” Orgeron wrote. “The work of Auditor Shad White and his team highlights that despite much progress in recent years, cyber-risk in state government is unlikely to dissipate and will likely grow. ITS remains committed to continuously improve the cybersecurity posture of state government.”