The Kansas state government is in dire need of improving its computer security. A legislative audit of nine agencies found that the state government does not do enough to keep confidential information safe from hackers. The Associated Press reported that auditors were able to crack a significant number of employee passwords at six of the nine state agencies investigated.
The state agencies included in the audit were the departments of Commerce, Corrections, Education, Labor and Revenue, the state treasurer’s office, Juvenile Justice Authority, Board of Indigents’ Defense Services and the Department of Wildlife, Parks and Tourism. These agencies were selected because of the amount of confidential information they have in their electronic files, which includes Social Security numbers, tax return data and other information that could identify individuals, according to the AP.
“Some agencies are responsible for protecting millions of confidential records, which makes them a potentially enticing target for hackers,” the audit stated.
Auditors found the state only provides limited oversight of the security controls these agencies have in place. Terry Bruce, the soon-to-be Kansas Senate majority leader said the audit report has encouraged state leaders to take security threats more seriously and to implement features to prevent a future data breach.
The security issues have been tied to the decentralization of the state’s computer system, and the executive branch’s chief computer security official, John Byers, said his office is working to address and fix the problem. The state’s governor, Sam Brownback, has an office overseeing management of the executive branch’s computer system.
Kake.com reported that seven of the agencies audited didn’t require employees to change their passwords {regularly?}. One of the agencies also required their employees to give their passwords to supervisors and IT personnel, which auditors found to compromise security even more.
What are your organization’s computer security standards? Do employees to turn over passwords? If so, do you agree with the Kake article that the practice compromises security?