British Columbia’s government is vulnerable to cybersecurity threats and needs to be unwavering in its search for possible attacks, said the province’s auditor general.
In a report released Thursday, Russ Jones outlined how an audit by his office found security vulnerabilities ranking from medium to critical in more than half of the government’s Web applications that it reviewed.
Mr. Jones said the security audit, conducted from December, 2012, to February, 2013, produced a swift response from the government to erect security protections.
But the report concludes the government must do more to stay abreast of security threats because cybercriminals are always looking for new ways to steal information.
The 26-page audit, titled Information Technology Compendium, said 56 per cent of government Web applications reviewed in the report were not adequately protected and contained one or more cybersecurity risks, ranking from medium to critical. The audited scanned the security vulnerability of 80 government Web applications and found more than half were not adequately protected and contained security risks.
The report stated there are 1,500 of the government applications and 437 are public. Web applications are programs embedded into websites to perform specific functions.
“The government of British Columbia uses its websites to interact with its citizens, provide program information and offer online services,” the report stated. “Online services include, but are not limited to, applying for a medical service plan, social assistance, permits and licences, legal services, completing a land title search and researching property assessments.”
Mr. Jones said his audit did not identify any security breaches, but the major theme of the audit was to reveal the constant and ever-present cybersecurity threat facing the government and the personal information of British Columbians.
“These vulnerabilities could allow cybercriminals to access confidential information or cause malicious activity,” the report said. “Based on the high number of critical, high and medium vulnerabilities found per web application, we determined that public-facing web applications are not adequately protected from cybersecurity threats.”
Mr. Jones makes four recommendations to ensure government cybersecurity vulnerabilities are monitored, investigated and prevented.
He would like to see the government’s Office of the Chief Information Officer incorporate a compliance review of government ministries for cybersecurity policies and standards.
Bette-Jo Hughes, the government’s chief information officer, stated in the report that her office communicated the need to tighten security to all ministries. “Ministries have reviewed the vulnerabilities of their applications, developed their mitigation plans and are working to complete implementation,” she said.
Mr. Jones said cybersecurity threats require constant government vigilance. “I really think that going forward, as long as they take a look and implement the recommendations that we’ve put forth, the public interest will be well-served,” he said in an interview.