Cybersecurity Weaknesses Identified in Kansas Government Audit
TL;DR
Cybersecurity Weaknesses in Kansas Government
Roughly half of Kansas government agencies, including key departments, public universities, and K-12 schools, have significant cybersecurity weaknesses. According to a recent report from the Kansas Legislative Division of Post Audit, many of these agencies have not implemented adequate measures to protect against cyberattacks, despite ongoing efforts to enhance security.
The audit revealed "significant weaknesses in several security control areas" across 20 audited agencies. The report indicates that nearly all entities failed to adequately scan or patch systems, and more than half lacked sufficient incident response plans. In addition, most agencies did not appropriately test their security strategies.
Auditors found that many agencies did not provide proper security awareness training. For example, employee information, including names and Social Security numbers, was found in overflowing shred bins, and at least one agency had passwords written on whiteboards. The audit did not specify which agencies faced these issues, but it listed the agencies involved, including the Kansas Department of Transportation and Kansas State University.
The report emphasizes the risks posed by these vulnerabilities, stating, “State and local entities could face significant consequences if hackers are able to access an entity’s network or confidential data because of poor security controls.” Cybersecurity experts noted that the findings are typical for organizations that under-invest in security measures.
Marty Edwards, deputy chief technology officer at Tenable, remarked on the results, stating, “Organizations that have really strong and healthy investment in personnel and technology usually don’t have these kinds of findings.” Doug Jacobson, director of the Center for Cybersecurity Innovation & Outreach at Iowa State University, highlighted the importance of security training, as attackers increasingly target individuals rather than systems.
For additional insights, see the full report from the Kansas Legislative Division of Post Audit here.
Historical Context and Previous Concerns
This report is not the first to raise alarms about cybersecurity within Kansas government. A 2021 state audit revealed that K-12 schools were unprepared for cyberattacks, with 69% of responding districts lacking a response plan and 28% not having antivirus software installed on all computers.
Moreover, an external review of the Kansas Department of Labor by BKD Cyber found that the agency had only partially implemented essential cybersecurity best practices. These findings point to a consistent trend of vulnerabilities that persist in state agencies.
In a notable incident, cyberattacks previously vandalized numerous county websites in Kansas in 2019, demonstrating a significant risk to public infrastructure. In another example, a rural water system faced a major incident when a former employee remotely disabled cleaning procedures due to outdated credentials.
For more context, read about the vulnerabilities faced by K-12 schools here and the external review of the Kansas Department of Labor here.
Legislative Efforts and Future Directions
Kansas has made strides to improve cybersecurity, including the passage of a cybersecurity law in 2018, which established a state chief information security officer and a Kansas information security office. The Kelly administration has hosted cybersecurity summits over the past four years, with participants engaging in simulated ransomware attack exercises.
Despite these efforts, the recent audit suggests that more work is needed to strengthen security across state agencies and school districts. State Sen. Rob Olson acknowledged the progress made but indicated that Kansas is not yet where it needs to be in terms of cybersecurity readiness.
The Kansas Department of Administration has declined to comment on the audit's findings, but officials within the agency have expressed optimism about the progress made since the cybersecurity law's implementation.
To learn more about the Kansas cybersecurity law, visit the Kansas Legislative Research Department’s page here. For details on recent cybersecurity summits, refer to the summary shared by state officials.