Cyber checkups: Common results from the first year of reviews

The Center for Government Innovation at the State Auditor’s Office is celebrating: its newest service, the cyber checkup, is one year old. These checkups provide a fast, no-cost, independent review of local government cybersecurity programs. Cyber checkups aren’t substitutes for an audit – and won’t find all vulnerabilities – but they give local governments actionable recommendations and resources to help address any weaknesses.

So far, the Center has completed 45 checkups for all types of local governments, from cities and towns to fire districts and school districts. Our checkups have helped governments both large and small, including those with annual revenues as high as $661 million and as low $225,000.

To celebrate the first year of this service, we identified some common results of these checkups, including areas where local governments are doing well or could use improvement. 

Top three cyber successes 

• Scanning email attachments. The checkup tests to see if the government’s email software prevents executable files from being delivered in an email. Malicious software can’t be installed if it never reaches a computer, so governments should ensure their email software won’t deliver attachments that are executable files. Nearly all the governments we have assessed had this scanning software in place. 

• Updating antivirus software. Cybercriminals are regularly creating new computer viruses, so local governments must keep their antivirus software updated. Keeping antivirus software updated is especially important because it can also stop spyware, adware, and other malicious software. Most of the governments we assessed kept their antivirus software current. 

• Applying patches regularly. Keeping other software updated is also crucial for keeping a secure information technology environment. When vendors learn about a security vulnerability, they will develop a patch to secure the software or hardware. However, it is up to users to apply the updates. Patches are applied to both software and hardware; patches to hardware can be overlooked, but they are important to apply to ensure the hardware runs securely. Many of the governments we assessed regularly applied patches developed by their software and hardware vendors. 

Top three areas for improvement 

• Adopting written IT policies. As part of our checkup, we look at whether governments have seven key IT policies in place. These policies cover things like multifactor authentication, acceptable use, and password requirements. None of the governments we assessed had the seven policies in place. Refer to our March 2024 blog post for more information on adopting specific IT policies as part of your government’s cybersecurity program. 

• Naming a designated lead for incident response. Only a handful of the governments we assessed had named people as the designated lead and backup lead for responding to cybersecurity incidents. In addition to naming a designated lead, it is important to identify a backup in case the lead person may be unavailable. Backup leads are also necessary in extended cases that require an incident command rotation to allow people to take breaks. Governments can respond to incidents faster when they have named people for these positions, and it allows these employees to prepare for the responsibilities. 

• Maintaining contact list information. Governments should keep a list with the current contact information of their service providers and emergency contacts. The list should be printed, and key personnel should have copies or know where to find one in situations where computers are not working. Some of the governments we assessed had complete contact lists; others had partial lists or did not have one at all. 

Ready for a checkup?

Whether your government has an established cybersecurity program or is just starting to build one, the Center’s checkups can give you actionable steps to improve your overall cyber health. Contact us today to schedule your cyber checkup! 

How to reach us for more assistance

Do you have questions about cybersecurity? The Center’s cybersecurity specialist is available to talk with you about best practices and resources. For assistance, reach out to us at Center@sao.wa.gov.