SALT LAKE CITY — Cyberattacks have cost the state of Utah millions of dollars and auditors fear that it will continue to do so unless the state implements stricter security.
The latest “Performance Audit of Cybersecurity in the State of Utah” breaks down what government branches and what state-operated entities have the best cybersecurity practices in place and highlights the ones that need the most improvement.
“It just takes one successful attack to get through and that can bring everybody down,” said audit manager Jesse Martinson.
In the findings from the Office of the Legislative Auditor General, researchers found many state offices don’t have the best practices or incident response plans.
“Losses are not necessarily financial; they could include credibility, information, and time unable to fulfill necessary functions,” wrote auditors.
“Everybody’s heart is in the right place. Everybody wants to do the right thing,” said chief information security officer Phil Bates. “But there is a cost to do this and I think we just need to find a way and make that something that’s going to be realistic.”
In a survey sent to over 600 state officers across Utah, schools were found to have the strongest framework. Cities and towns were ranked the lowest.
“Some of them only have one person doing the entire cybersecurity, sometimes it’s not even someone doing it full-time,” said Martinson.
It’s no surprise to library visitors like Joseph Haber that the state is playing catch-up with cybersecurity.
“If I’m in a public place like this library, I always use a VPN on both my phone and my computer just to make sure no one else has access to that,” said Haber.
State employees promise moves are already being made.
The Utah Legislature created a Cybersecurity Commission in 2022, and in this last legislative session, they passed a new bill that requires entities to report when they have a cyberattack.
“It’s such a fast-moving thing, that yes, it’s always going to be in need of improvement,” said Haber.
In the survey featured in the audit, the response rate was only 37%. Auditors said the low response rate is not enough to “adequately determine the overall risk to the state.”
Click here to read the full report.
