Manitoba needs to do better when it comes to IT security risks, remote work: Report

Auditor calls for better data encryption, security awareness training for workers, updated security policies and procedures

Manitoba needs to do better when it comes to IT security risks, remote work: Report

While Manitoba is managing IT security risks associated with remote access, some improvements are needed.

That’s according to a new report from Auditor General Tyson Shtykalo, Managing IT Security Risks for Remote Access.

“The global COVID-19 pandemic transformed the traditional workplace structure. Employees in a variety of sectors learned to work remotely, or share time between home and the office,” he said. “I’m encouraged that Manitoba has introduced security measures to protect information and systems used by employees to work remotely, but there is still more to be done.”

Shtykalo examined information technology systems after government employees began to work remotely during the COVID-19 pandemic.

In late January, Global Affairs Canada (GAC) looked into a cyber attack that affected its system for over a month. Meanwhile, it has taken the Toronto Public Library (TPL) months to recover from a cyberattack that took place in October last year.

Nearly all (95%) employers say that the threat of deepfakes has increased the risk of fraud at their companies, according to a previous report. And calls for employers to come up with policies and training on generative artificial intelligence (GenAI) are getting louder amid the growing use of the emerging tech among employees across workplaces.

Issues with IT security and Manitoba’s remote work

Shtykalo, in his report titled Managing IT Security Risks for Remote Access, found three issues with the way Manitoba does remote working.

First, the province uses encryption to protect data, but some settings need to be improved.

Also, roughly 30% of provincial employees have not taken mandatory security awareness training.

“The training is crucial for educating employees about potential threats, safe practices and the importance of maintaining security procedures,” Shtykalo wrote in his report.

“Remote workers who have not undergone security training are more likely to fall victim to phishing emails and other social engineering tactics. This can result in compromised credentials, malware infections and data breaches.”

 The report says the completion of this training ensures that all employees, especially those working remotely:

  • are equipped with necessary knowledge of how to suitably use the government’s network.
  • could recognize and respond to threats accordingly.
  • reduce cyber-attacks caused by human errors.

Lastly, security policies and procedures related to remote work are outdated.

“Addressing these findings would create a more secure work environment,” Shtykalo said.