The Texas Senate held its first select committee Wednesday to review processes and give lawmakers a crash course in cybersecurity.
The committee was mandated by House Bill 8 that passed earlier this year.
Texas is no stranger to cybersecurity problems. In 2011, the state comptroller's office left more than three million social security numbers exposed on the web for a year. The error would reportedly cost the state $1.8 million.
But according to the state's chief information security officer, Nancy Rainosek, the threat from malicious actors is an even bigger concern.
"We block billions of attempts every month," she said.
“Billion with a ‘B’?” committee chair Jane Nelson, R-Flower Mound, said.
According to an analysis by business consultants Deloitte and the National Association of State Chief Information Officers, the federal government spends 16 percent of its IT budget on cyber security, banks and other private financial institutions spend 8 percent, while states on average spend just 2 percent.
"So states are well behind and my comment is always that states should invest and fund cybersecurity commensurate to the risk," report co-author Doug Robinson said.
Robinson is also the president of NASCIO and said they see in their surveys funding is always the No. 1 challenge to state information security officers.
Wednesday's hearing highlighted strategies being implemented by agencies across the state, from health and human services to public safety. 70,000 employees can do training from the SANS institute. The comptroller's office would become the first agency to implement two-factor authentication for its network systems administrators.
According to Texas Association of Government Information Technology Managers President Mike Sturm the state's 961 municipalities, where budgets are tight and staffing is low, are where the real vulnerabilities lie.
"It’s a scary world out there at the local level," he said.
Sturm is speaking from experience. He also runs San Marcos' IT department. The city of 60,000 has fallen victim to multiple phishing scams, including one where the city lost money, one in which the W2s of 800 employees were exposed, and a ransomware attack.
The committee is tasked with making recommendations to the next legislature on cybersecurity priorities.
Paul Flahive can be reached at paul@tpr.org or on Twitter @paulflahive