Manitoba not doing enough to protect information systems: auditor general

Hey there, time traveller!
This article was published 13/10/2022 (1063 days ago), so information in it may no longer be current.

WINNIPEG – The Manitoba government needs to better protect its information systems from internal misuse and outside attacks, the provincial auditor general said Thursday.

Tyson Shtykalo’s 21-page report focused on system administrators and other people with deep access to systems in a few departments that contain personal, corporate and health information. The audit ran from 2018 to March of this year.

The report says password requirements are not strong enough in some areas.

“For example, improvements are needed to the standards that govern identification and authentication, and information systems have not been configured to enforce quality passwords as required by … standards,” the report states.

“Good identification and authentication standards include multifactor authentication, minimum number of failed login attempts, inactive session terminations, minimum password length, password complexity … and password history.”

Shared Health, which co-ordinates provincial health care, has given out privileged access to some workers without formal, documented approval and did not revoke some workers’ access immediately when they left their jobs, Shtykalo wrote.

Some Shared Health workers were given higher levels of access than they need for their jobs, he added.

The report also calls for better monitoring of people who use information systems, in order to detect any unauthorized activity.

“An unauthorized person with privileged access could steal data or funds, disrupt operations or cause system outages,” Shtykalo said.

Shtykalo said he shared more detailed information with the departments involved in his audit, but did not include it in the report.

“If this information is disclosed publicly, cyber threat actors could misuse it to compromise systems operated by these entities,” the report states.

The Progressive Conservative government said it had already started to implement many of the report’s recommendations. But the government may not engage in monitoring users as thoroughly as the auditor would like.

“Some people obviously don’t enjoy being monitored … so we have to make sure that we work with the individuals on that basis, on what’s done on the systems, as opposed to a broad-brush approach to everybody being subjected to the same outcomes,” said Reg Helwer, minister for government services.

The Opposition New Democrats called for tighter cybersecurity immediately.

“In today’s knowledge economy, good digital security to protect your private personal information is as important as having a lock on the front door of your house,” NDP Leader Wab Kinew said in a statement.

This report by The Canadian Press was first published Oct. 13, 2022.