The Department of Homeland Security (DHS) appears to be noting solid progress against a list of ten recommendations from the agency’s inspector general (IG) to make improvements to internal cybersecurity policies and employee training practices, according to an August 22 IG report that covers audit results reaching as far back as fiscal year 2019.
The report delivered to DHS Chief Information Officer Eric Hysen features the ten recommendations “aimed at improving the Department’s mitigation of risk related to malware, ransomware, and phishing attacks.”
DHS concurred with all ten recommendations, and the IG report says that the agency’s corrective actions have left half of the recommendations “closed and resolved,” and the other half “open and resolved” pending full implementation of the recommendations.
At the heart of the IG recommendations are two issues. The first is DHS’ need to revise security policies and procedures to reflect the latest standards by the National Institute of Standards and Technology (NIST), and the second is to get up to speed on educating DHS personnel across various components on the risks from malware, ransomware, and phishing attacks.
The IG report takes pains to explain that DHS has done well in executing broad security strategies to protect its networks and data. But in addition, it concludes that “DHS can better protect its sensitive data from potential malware, ransomware, and phishing attacks by revising its policies and procedures to incorporate new controls, in accordance with Office of Management and Budget guidance, and ensuring its users complete the required cybersecurity awareness training to mitigate risk.
Until the IG’s recommendations are fully implemented, “DHS cannot ensure its sensitive information is secured,” the agency watchdog said.
The IG report also provides some revealing statistics on how often DHS is targeted by cyber attacks. It said the DHS CIO office reported more than 3,000 “cyber incidents” reported by agency components between September 2017 and March 2021. Those incidents included 115 malware, ransomware, and phishing incidents, the IG said.