RICHMOND -- A state audit of IT security and stability at dozens of state agencies and government offices in the Commonwealth of Virginia has found major holes in the computers that store sensitive information on millions of Virginians.
The state auditor’s office conducts audits on the IT systems at state agencies as it inspects their financial books each year.
Results for fiscal year 2013 -- the most recent period for which figures are available -- show that just half of state agencies had adequate backup and restoration procedures in place and less than 60% of agencies had a disaster recovery plan or had sufficient database security.
Jeri Prophet, who runs the IT firm IntellecTechs, said the auditor’s report is cause for grave concern, especially concerning the gaps in database security.
“The information that should really be protected is sitting in those databases,” Prophet said. “The fact that their security is lacking is probably a red flag.”
For instance, someone who could hack into the DMV database could access the name, date of birth and address of anyone with a driver’s license, Prophet explained.
“All of that information is readily available. It’s all in those database tables,” Prophet noted. “So, if they were able to get access… they pretty much have the keys to the castle.”
Goran Gustavsson heads the division of the state auditor’s office that monitors IT and systems security and readiness. He said some of his team’s findings sound worse than they really are, but he admits the number of findings has increased in recent years.
Another problem uncovered by auditors showed some agencies didn't cancel the log-in credentials of fired employees. One worker at Behavorial Health and Developmental Services still had log-in credentials more than 700 days after being dismissed. Other agencies had employees who retained log-in credentials for hundreds of days.
13News Now requested invoices for more 13 state agencies singled out in a state-wide audit overview. Of those agencies, five said money's been spent correcting problems pointed out by the auditor’s office. Combined, the five agencies spent more than $150,000 correcting problems, updating software and backing up systems.
The two agencies that spent the most fixing problems in response to the auditor’s findings were DMV and VABC.
Gustavsson said many of the IT professionals at state agencies are very capable but are held back by budget constraints.
“I think with the budget constraints that are coming down, that keep coming down, that it’s a challenge for agencies to keep up with standards that come out,” he said.