Utah's judicial branch lacks a strategic plan to protect cybersecurity, and the legislative information technology office is not in compliance with cybersecurity standards, a recent legislative audit found.

The report, commissioned by the Utah Legislature, examined cybersecurity practices across the three branches of government in the state in addition to interlocal agencies. The findings show that several entities lack a framework for cybersecurity and do not require annual cybersecurity awareness training for their employees.

"Cyberattacks have cost the state of Utah millions of dollars, and will continue to cost the state if cybersecurity measures are not taken," the report states. "Entities should be taking proactive steps to identify weaknesses and gaps in their security and use a cybersecurity framework as a guiding policy to address cybersecurity vulnerabilities. Various entities throughout the state were found to be at risk of cybersecurity attacks and need to strengthen their security framework."

What the audit found

To understand the status of cybersecurity across the state, the Office of the Legislative Auditor General sent surveys to 620 entities in counties, cities, higher education, applied technical colleges, school districts and local districts. The results were presented to the Legislative Audit Subcommittee Tuesday afternoon.

"We believe government entities should be taking proactive steps to identify weaknesses and gaps in their security and use a cybersecurity framework as a guiding document to address those issues," the report says. "The implementation of cybersecurity-related controls varies across the state; overall, many entities still have room for improvement."

The report notes that only 37% of surveys were returned, so the results are not comprehensive, but rates of compliance with industry security standards were low. Overall, 57% of respondents have adopted some form of security framework — like those recommended by the Center for Internet Security or the National Institute of Standards and Technology — although only 39% of cities and towns had adopted such standards.

Cities were also less likely to say they conduct regular vulnerability scans of their systems, with only 41% having completed such scans.

"Cities were one of the entity types that experienced the most successful system security breaches while also having the lowest adoption of vulnerability scanning," the report states.

Another key finding was that communication between information technology departments and management is lacking, in part due to "communication style and technical understanding."

The audit described one such miscommunication, saying: "Management was looking for tangible assurance that its systems and processes were secure. IT believed it was providing that assurance by communicating, often in technical jargon, verbally to management."

The report recommends creating assessment standards in a format that is accessible to both IT professionals and management, as well as a structured process for communicating threats to management.

State government cybersecurity

When it comes to government branches and agencies at the state level, the audit made several recommendations, noting that the legislative IT office is not compliant with industry standards and that the judicial branch lacks updated planning and training for cybersecurity.

The Legislature's IT office "lack(s) a cybersecurity strategic plan, (has an) insufficient cybersecurity policy and does not have an incident response plan to guide cybersecurity of the legislative branch," the report says.

Additionally, the judicial branch is recommended to update its nearly decade-old plan for cybersecurity, and the audit suggests both the judicial and executive branches do more to ensure that all employees complete annual training on cybersecurity awareness. Those trainings are designed to prevent social engineering attacks, such as phishing — which have resulted in nearly $6 million in losses across the state between 2016 and 2022, according to the auditor.

"Opportunities exist for Utah's three branches of government to improve their protection against cyberattacks by ensuring employees are getting trained," the audit states. "The legislative branch's cybersecurity team is relatively new, as the Legislature used to contract with the executive branch for cyber control. Accordingly, the Legislature should ensure that it has detailed policies and planning in place to strengthen controls and expectations."

What's next?

Already, several agencies replied saying they acknowledge the recommendations outlined by the auditor and will move to adopt them.

"As a result of the hard work of the (Cybersecurity) Commission, many of the recommendations are already being addressed, and we are grateful for the opportunity to use this legislative audit to assist in the Commission's work in 2023," wrote Department of Public Safety Commissioner Jess Anderson in a letter to the legislative auditor general.

The Legislative Services Management Council, the Department of Government Operations and the Administrative Office of the Courts also affirmed the findings.

"The Division of Technology Services/Department of Government Operations is committed to improving protection against cybersecurity threats," executive director Marvin Dodge wrote. "We value the insight this audit has provided and look forward to implementing solutions for improvement."