Province says oversight improving after report highlights IT risks

The Manitoba government has been warned it’s facing a security risk because of its reliance on third-party cloud-based technology to store data and keep essential government services operating.

“With most new IT projects relying on cloud-based solutions, ensuring the province’s information systems are secure, reliable, and well-managed is essential,” Tyson Shtykalo, the provincial auditor general, said in a news release as he issued a report into the matter.

Cloud technology may be used for customer portals, online booking and online services, among other things.

Shtykalo’s office reviewed relevant documents and procedures. It also studied 15 cloud service providers that were used between April 2022 and March 2025. Officials found there was no approved cloud vendor management framework, meaning departments used cloud services inconsistently.

Vendor selection documents were often incomplete or missing, limiting the government’s ability to show it had picked organizations that meet security and operational requirements.

Some contracts lacked key security needs, and cloud service providers weren’t subject to regular monitoring, the report said.

New Technology Minister Mike Moroz pointed to the Tory government, saying the findings stem from the Progressive Conservatives’ policies in office.

The New Democrats were elected in 2023.

“We’ve already started improving vendor oversight, strengthening cyber security,” Moroz said.

The New Democrats created the department of innovation and new technology in late 2024. Not having the department contributed to a lack of oversight, Moroz said, adding the IT job vacancy rate has dropped to 33 per cent from 40 per cent over the past three years.

“There was a lot of contracting out of positions to get IT work done under the previous government,” Moroz said. “We’re moving away from that. We want in-house resources available.”

Tory technology critic Josh Guenter declined to comment on the auditor general’s report Thursday, saying he hadn’t had a chance to review it.

“The minister and his department have been there for a number of years now and have done, really, nothing to advance and protect the security of Manitobans and their private data,” Guenter said.

He hasn’t heard a “sufficient answer” from the NDP about security breaches at Manitoba school divisions, he said. Pembina Trails School Division and the University of Winnipeg were hit with cyberattacks over the past two years.

The auditor general proposed six recommendations, including centrally tracking cloud service provider documentation and publishing cloud use guidelines for all departments to follow.

Management has agreed to implement recommendations by Dec. 31, 2027, the report said.

Moroz cited legislation he introduced this spring session. In part, it’s meant to tackle accountability frameworks and regulate cybersecurity incident reporting.

Canada lags behind the United States for cloud use compliance and certification, said Jason Kolaski, president of Constant C Technology Group.

“We’re catching up, but right now with cloud changing so fast … everyone’s moving to ‘What’s the next thing?’” Kolaski said. “Every time there’s a new version or something changes, there could be security issues and problems that come out.”

Monitoring cloud security largely falls on the service provider — such as Amazon Web Services or Microsoft — but it’s important for customers, including governments, to take some responsibility, Kolaski added.

Departments might require different cloud-based applications based on their needs. Still, having a central depository — a single place where cloud usage is monitored and regulated — is critical, Kolaski said.

gabrielle.piche@winnipegfreepress.com