Skip to main content
Join Now

< Back to All

Audit: Third Of Sampled State Workers Flunk Fake Phishing Test

March 20, 2018

Nearly a third of 5,000 random state employees opened a fake phishing email meant to test the state’s cyber security training of its employees, according to an Office of Auditor General (OAG) report issued Friday.

That particular OAG finding was one of 14 findings from an audit of the state’s overall network and cyber security, although not among the more serious ones in the OAG’s eyes. 

The OAG designated five of its findings more severe, some of which dealt with the state’s general ability to protect its networks from threats and vulnerabilities and detecting and preventing unauthorized or unmanaged devices from connecting. 

There were also a number of findings pertaining to the state’s ability to have effective controls over who can access its systems, an issue that has persistently been flagged in audits of state IT networks. 

But the OAG phishing survey of state employees was similar to what the Michigan Department of Technology, Management and Budget (DTMB) did for all state employees, which MIRS reported on in January. 

However, DTMB would not release hard numbers on how many state employees clicked on the emails, citing it as a security issue. 

But the OAG published the results of its phishing test sent to 5,000 random state employees. According to the audit, 32 percent of the state employees opened the email, 25 percent clicked the link in an email, and 19 percent entered their credentials after clicking the fake spam link. 

DTMB spokesperson Caleb Buhs said Friday the percentage of employees who clicked on links in DTMB’s tests were less than what the OAG reported. 

The OAG also reported that an average of 68 percent of state employees participated in DTMB’s training programs. Its goal was 85 percent employee participation. 

Besides the cybersecurity training, the OAG also found these issues: 

– DTMB did not implement a network access control solution to help ensure that only authorized devices access the state’s IT network, and that unauthorized or unmanaged devices are detected and prevented from connecting. 

DTMB said it only partially agreed with the finding: It doesn’t have a single solution to make sure only authorized devices access the state IT network, and is currently conducting a pilot to determine the feasibility of implementing such a solution. 

– DTMB had not fully established and implemented configuration management controls to ensure that the state’s network devices are securely configured. 

The OAG said configuration management controls directly impact DTMB’s ability to protect the state’s network from threats and vulnerabilities. DTMB again only partially agreed with this, saying its “defense-in-depth” approach allows it to protect the state network from threats and vulnerabilities. 

– DTMB did not fully establish and implement an effective process for managing updates to the operating systems of network devices. DTMB agreed with the recommendation and on the need to establish a formal written process for analyzing security vulnerabilities. 

Asked if the audit leaves its readers with the impression that the state’s IT systems aren’t secure enough, Buhs said, “the data held within the state government network is safe and secure due to the many layers of protection in our security ecosystem. 

“The Auditor General did a thorough job of reviewing our complex network environment,” Buhs said. “The recommendations that they made reflect best business practices, many of which we have already began to implement. This audit provides us with a good roadmap for prioritizing future technology infrastructure investments.” 

Senate Minority Leader Jim Ananich (D-Flint) had a different take on the OAG report. 

“Gov. Snyder was the CEO of a tech company and the DTMB is run by a cybersecurity expert — there is just no excuse for why Michigan’s top officials have failed to protect our state from hackers,” Ananich said, referring to DTMB Director David DeVries, who is also the state’s chief information officer. 

Audit: 80% Users Had More Access Rights Than Needed 
In another audit Friday with related issues, the OAG found a specific state IT system had granted 80 percent of a selected number of user accounts more access rights than needed for those users to perform their jobs. 

This report focused in on MiWaters, a web-based permitting and compliance system used by the Michigan Department of Environmental Quality (DEQ) and its Water Resources Division, which DTMB provides IT services for. 

The OAG looked at 60 user accounts it “judgmentally selected” and found that 80 percent of them did not require some or all of the assigned access rights, based on those users’ job responsibilities. 

DEQ said in its response it agrees with the OAG’s recommendation and said it would continue to evaluate access controls.

Share On: