Skip to content

British Columbia government lax on cybersecurity practices, auditor reports

VICTORIA — The British Columbia government must do a better job of protecting its computer systems from cybersecurity threats, says auditor general Michael Pickup.
20210119140124-938f59aa2644fd00b569c2f7985b70f2c21932342bdb3822bc77fb89168f4576

VICTORIA — The British Columbia government must do a better job of protecting its computer systems from cybersecurity threats, says auditor general Michael Pickup.

An audit of five government ministries found only Education and the information branch of Citizens' Services provided strong protections against potential threats, he said Tuesday.

The audit concluded the ministries of Finance, Health and Natural Resources as well as much of Citizens' Services did not have adequate cybersecurity practices to manage its information technology systems, Pickup told a news conference.

The report did not highlight a specific threat, but it found breaches in cybersecurity are increasing globally.

The audit says studies show cyberattacks occur every 39 seconds or an average of 2,224 times a day. Data breaches exposed 8.4 billion records globally in the first four months of last year, it says.

Pickup said organizations with poorly managed security practices are vulnerable to attacks.

"These weaknesses could hinder the ability of the ministries to develop and implement appropriate safeguards to protect their IT assets from cybersecurity threats," he said.

The audit found security standards at the ministries lacked specific definitions of roles and responsibilities, said Pickup.

It also found inappropriately maintained inventories, including unauthorized devices on networks and records that were missing important data, he said.

"The established policies and standards, they lack specific guidelines to identify and manage IT assets for the purpose of managing cybersecurity risks," Pickup said.

Last June, an investigation by the information and privacy commissioners of B.C. and Ontario found LifeLabs failed to protect the personal health information of millions of Canadians because of a large privacy breach in December 2019.

The commissioners said in a statement LifeLabs didn't have adequate security in place and failed to take reasonable steps to protect personal health information in its electronic systems.

LifeLabs said after the commissioners' report that it had appointed a chief information security officer to undertake a gold-standard enhancement of its information technology security systems.

In 2015, the B.C. government said a hard drive containing the personal records of 3.4 million B.C. and Yukon students and teachers, dating back more than 30 years, had disappeared.

Pickup said the audit makes seven recommendations, all of which have been accepted by the government.

"While government has security controls to protect IT assets and the information residing on them, there is more we can do in this area," says a government response included in Pickup's audit.

"Existing controls include device authentication, encryption, ability to remotely wipe a device that is lost or stolen and regular patching of vulnerabilities," says the response.

The government says it will launch a review, due for completion in December 2021, that examines ministry cybersecurity roles and responsibilities and includes guidelines and procedures to maintain risk protections.  

Pickup said he expects the audit's findings to be discussed by members of the legislature who sit on committees overseeing information technology services.

"These reports are tools for the folks in the legislature to then look to government and hold them accountable on why are these things happening to start with and how does government improve," he said.

Pickup said his office is also planning a future review of the government's computer systems during the COVID-19 pandemic because many government employees are working from home.

This report by The Canadian Press was first published Jan. 19, 2021.

Dirk Meissner, The Canadian Press