An audit of Mississippi government institutions has revealed an alarming lack of compliance with standard cybersecurity practices and with the state's own enterprise security program.
A survey of 125 state agencies, boards, commissions, and universities conducted by the Office of the State Auditor (OSA) revealed that only 53 had a cybersecurity policy in place. Eleven reported having no security policy or disaster recovery plan whatsoever.
The true number of completely unprepared government entities may well be higher, however, since 54 of the institutions surveyed didn't even bother to respond to the 59-question survey, despite the OSA being authorized to verify compliance.
"Many state agencies are operating as if they are not required to comply with cybersecurity law, and many refused to respond to auditors' questions about their compliance," wrote state auditor Shad White in a data services division brief dated October 1, in which the research findings were revealed.
In Mississippi it's a legal requirement for state institutions to have a third party perform a security risk assessment at least once every three years. Despite this law, 22 of the government entities admitted that they hadn't conducted a security risk assessment in the last three years.
Asked about how they stored and sent sensitive information, 38% of respondents said that they do not protect sensitive data with encryption.
The OSA also found that just over half of the government agencies that responded to the survey were less than 75% compliant with the Mississippi Enterprise Security Program.
White said: "State government cybersecurity is a serious issue for Mississippi taxpayers and citizens. Mississippians deserve to know their tax, income, health, or student information that resides on state government servers will not be hacked."
White called for leaders of agencies to question their IT professionals to make sure that their agency is compliant, and to "consider ways to go above and beyond to prevent cyber breaches."
Leading by example, the Office of the State Auditor requires all its employees to go through training to spot phishing attempts and learn best practices for preventing security incidents.
The OSA also partnered with the federal Department of Homeland Security and arranged for the DHS to perform a penetration test of the OSA's computer system to identify any vulnerabilities.
"I personally have seen screenshots of other states’ private data on the dark web, and we do not need Mississippians’ personal information leaking out in the same way. The time to act to prevent hacking is now," said White.