Sask. school systems vulnerable to cybersecurity threats, auditor's report says

Saskatchewan's provincial auditor says 13 school divisions are vulnerable to cybersecurity threats.

A report released Tuesday by Tara Clemett found 13 of 27 school divisions in Saskatchewan "use a key financial IT system — managed by a third-party service provider — with identified system vulnerabilities that expose them to increased cybersecurity risks."

The report said a key IT system used in those school divisions had outdated software as of August 2021.

It said while a third party manages the IT system, school divisions are responsible "for managing risks associated with their IT systems and data."

The audit recommended "the Ministry of Education work with impacted school divisions to establish a process to monitor the key financial IT system and the IT service provider."

"Cybersecurity remains a real threat highlighted by the recent breach to the Regina Public Schools IT system," Clemett said Tuesday.

The Regina Public School Division recently had to shut down its internet-based systems, including email and educational tools, because of a cyber attack.

Last month, CBC News reviewed a copy of a note from an organization called BlackCat/ALPHV, which experts say is well known for employing ransomware attacks.

The note alleges that 500 gigabytes of files belonging to Regina Public Schools have been encrypted and that the group now possesses copies of data ranging from tax reports and health information to passports and social insurance numbers.

Clemett said agencies need to be proactive in planning for the scenario they are victims of a ransomware or cyber attack.

"I encourage agencies to always focus on that disaster recovery plan now with IT risks evolving as fast as they do," Clemett said.

"You are not going to ever be 100 per cent ready or secure. It's a matter of, 'I probably have the potential to be breached and when I am breached, how quickly can I recover?'"

In a statement to CBC, the province said it "takes the recommendations of the provincial auditor seriously and will continue efforts to improve processes to safeguard public resources."

Saskatchewan's Ministry of Education said it expects divisions will work with IT partners to  "ensure divisions are receiving standard security reporting from their service provider on a timely basis."