IG Calls on DHS to Up its Cybersecurity Game
An IG report has called on DHS, a department with major responsibilities over cybersecurity government-wide and nationwide, to step up its own internal protections in that area.
It said there were more than 3,000 cyber incidents involving DHS components over October 2017-March 2021, of which more than 100 involved malware, ransomware and phishing. “Although DHS has established guidance for its components to protect information and guard against cyber incidents, DHS has not updated all cybersecurity guidance” from the National Institute of Standards and Technology.
“Also, some DHS components did not (1) ensure users completed required cybersecurity awareness training; (2) consistently educate users about the risks of malware, ransomware, and phishing attacks; and (3) conduct phishing exercises, as required, in fiscal years 2019 or 2020,” it said.
Seven of the eight DHS components the IG evaluated did not comply with the requirements for annual cybersecurity awareness training, with two of them having less than a 50 percent completion rate in 2019-2020 and a third less than 60 percent. Further, the training materials “did not consistently educate users on the risks of malware, ransomware, and phishing attacks.”
Only four of the eight conducted semi-annual phishing exercises in FYs 2019 or 2020 and adequately documented the results, it said, noting that “according to NIST, most ransomware attacks are made possible by users who engage in unsafe practices, administrators who implement unsecure configurations, or developers who have insufficient security training.”
DHS does not have a centralized process to track or manage cybersecurity awareness training records, it added, leaving that up to components—whose records are incomplete.
It said management agreed with recommendations to address those issues.
Gloss