An audit of Utah government computer systems issued Tuesday said the state’s cybersecurity needs to improve and warned of costly consequences if it does not.
“Cyberattacks have cost the state of Utah millions of dollars and will continue to cost the state if cybersecurity measures are not taken,” legislative auditors wrote in the report.
The audit identified several state entities that, it said, “were found to be at risk to cybersecurity attacks and need to strengthen their security framework.”
Many of the entities the auditors surveyed — including state agencies, local governments and school districts — had security policies that were not up to standards and lack incident response plans that could minimize the damage of a successful attack.
Employee training is also inconsistent, creating the potential that an unwitting worker could create a vulnerability used by hackers to access the entity’s network. Auditors recommended the state require annual cybersecurity training for all of its employees, as is already done in 18 states.
The audit did not report on how frequently government computers are targeted for cyberattacks, but in 2021 the Division of Technology Services reported that it blocked 1.7 billion attempts to connect to state networks and prevented 10,000 malicious attempts to connect to the state system every day.
What happens when things go wrong?
In 2019, a ransomware attack hobbled Garfield County’s computer system for weeks before the county agreed to pay the hackers to restore services.
In 2020, San Juan and Emery counties were hit with spear-phishing attacks, where someone posing as a county employee fraudulently requested funds be sent to an account, that cost the counties tens of thousands of dollars.
And that same year, the University of Utah hospital fell victim to a ransomware attack and had to pay nearly $457,000 to resolve the issue.
Here’s the good news: Toward the end of 2021, Gov. Spencer Cox created a cybersecurity task force, aimed at identifying vulnerabilities and beefing up security.
And last session, the Legislature passed SB127, creating the Utah Cyber Center to develop a strategic cybersecurity plan, coordinate security planning and help synchronize a response to attacks.
It’s encouraging that the threat is being taken seriously but, as the audit shows, vulnerabilities remain.
Fixing them won’t be cheap, but it’s imperative.
Because government entities keep a trove of information on each of us — everything from driver license information and voter registration to things like medical records and tax filings — and the amount is only likely to grow.
“It’s a lot cheaper, even though it is expensive, to prevent an attack than it is to deal with one,” said Senate President Stuart Adams. “The liability is horrendous.”
He’s right. We’ve probably been lucky that cyberattacks in Utah haven’t taken a heavier toll. But we can’t accept governments at every level allowing our personal information to be jeopardized.