Analytics, Estonia, Legislation, Security, Technology

The risks related to IT security are not acknowledged by the audited self-governments and therefore the requirements established by the state are not complied with even though they have been in effect for almost 10 years. The provision of information and financial support by the state has not led to the expected development, the National Audit Office said in its press release.

None of the audited local governments had assessed the security needs of the data held in their databases. Occasionally, local governments even struggle with the application of security measures of the lowest level. In many cases, IT users had been gives unrestricted rights too easily, oftentimes there was no overview of who could access what, password management was inadequate, the installation of security patches had largely been left up to users, the legality of software in workplace computers was not checked.

Commenting on the findings, Auditor General Janar Holm said: "Sometimes, local governments reminded the auditors of the National Audit Office of the Wild West, where people had not heard anything about the requirements for information systems effective in Estonia."

The audit found that the overall information security culture of local governments was low among employees and the management alike. Often there were no guidelines for handling IT facilities, they had not been introduced to the employees or were not followed in real life. There was no training or information provided to support compliance with internal IT requirements.

"The biggest concern is that the auditors met officials at local governments to whom the need to implement a system of security measures, including for data protection, was about as difficult to understand as the need to invest in a tourist trip to Mars – it's something distant that will not happen in their lifetime anyway," Holm said. "At a time when the number of known cyber incidents in Estonia already exceeds 10,000 per year, it is naive and dangerous to keep thinking that 'this will not happen to us' or 'our data are not important'."

The small number of IT specialists in local governments may be a reason for the shortcomings. In general, IT has been transferred to area of responsibility of a specialist of another field in small local governments and in medium-size local governments the IT service consists of one or two specialists. They are mainly able to provide technical IT support, but there is little specialization, including in information security. The appointment of an information security manager or a person who performs these functions is mandatory for local government upon the implementation of a system of security measures. Since hiring a separate person for this would often not be reasonable, the National Audit Office finds that local governments could cooperate more with the private sector or other local governments in this sphere.

The reasons of the problems can also be seen in the state's activities, the National Audit Office said. Furthermore, considering the current situation of information security in local governments, the supervision exercised by the state cannot be considered adequate, it noted.

The National Audit Office acknowledged the audited local governments that started to considerably improve their attitude towards the performance of the obligation to guarantee data security during the audit and made a number of recommendations to local governments to improve the situation.