B.C. auditor general: govt web apps pose cyber security risks

In a report released Thursday, Russ Jones outlined how an audit by his office found security vulnerabilities ranking from medium to critical in more than half of the government’s web applications that it reviewed.

Jones said the security audit, conducted from December 2012 to February 2013, produced a swift response from the government to erect security protections.

But the report concludes the government must do more to stay abreast of security threats because cyber criminals are always looking for new ways to steal information.

The 26-page audit, “Information Technology Compendium.” said 56 per cent of government web applications reviewed in the report were not adequately protected and contained one or more cyber security risks, ranking from medium to critical.

The audited scanned the security vulnerability of 80 government web applications and found more than half were not adequately protected and contained one or more security risks.

The report stated there are 1,500 of the government applications and 437 are public.

Web applications are programs embedded into websites to perform specific functions.

“The government of British Columbia uses its websites to interact with its citizens, provide program information and offer online services,” the report stated.

“Online services include, but are not limited to, applying for a medical service plan, social assistance, permits and licences, legal services, completing a land title search and researching property assessments.”

Jones said his audit did not identify any security breaches, but the major theme of the audit was to reveal the constant and ever-present cyber security threat facing the government and the personal information of British Columbians.

“These vulnerabilities could allow cyber criminals to access confidential information or cause malicious activity,” the report stated. “Based on the high number of critical, high and medium vulnerabilities found per web application, we determined that public-facing web applications are not adequately protected from cyber security threats.”

Jones makes four recommendations to ensure government cyber security vulnerabilities are monitored, investigated and prevented.

He would like to see the government’s Office of the Chief Information Officer incorporate a compliance review of government ministries for cyber security policies and standards.

Bette-Jo Hughes, the government’s chief information officer, stated in the report that her office communicated the need to tighten security to all ministry’s.

“Ministries have reviewed the vulnerabilities of their applications, developed their mitigation plans and are working to complete implementation,” stated Hughes.

Jones said cyber security threats require constant government vigilance.

“I really think that going forward, as long as they take a look and implement the recommendations that we’ve put forth, the public interest will be well-served,” he said in an interview.