Local government agencies often make common cybersecurity mistakes, Auditor Galloway says. Here's what they can do to safeguard data.

JEFFERSON CITY, Mo. (Aug. 14, 2018) Local governments often make common mistakes that put electronic data at risk of hacking and theft, Missouri State Auditor Nicole Galloway says. The Auditor today released a summary of the most common cybersecurity risks found by her audits of local governments and courts, along with recommendations those agencies can follow to better safeguard their data.

"A week doesn't go by that we don't hear about a significant data breach compromising information that needs to be tightly protected," Auditor Galloway said. "These security challenges largely didn't exist 25 or 30 years ago, but local governments often have been slow to catch up in the fight against cybercrime. The conversation on how to safeguard personal data has been taking place in corporate boardrooms for years, and it needs to happen in city halls, courtrooms and school administrative offices across Missouri."

The summary was compiled using local government and court audit reports issued between July 2017 and June 2018. Auditor Galloway's office has released similar reports since 2015. The most common cybersecurity issues found by the audits were:

• Access: Former employees did not have their access removed promptly, and current employees had greater access to the computer system than what they needed to do their job.
   
• Passwords: The audits found system administrators were not requiring users to change their passwords periodically, passwords were shared by users, passwords were not required to be complex enough, and in some instances, no passwords were even required for access.
   
• Security controls: Computers were not set to lock after a certain period of inactivity or after a certain number of unsuccessful log-on attempts.
   
• Backup and recovery: Data backups were not stored at an off-site location, and periodic testing of backup was not being performed.
   
• Data integrity and tracking: Controls were not in place to guard against improper changing or destruction of data, and the systems also don't track who is responsible for changes or how the changes were made.
   

"Our audits found that often the most routine of computer safety protocols -- such as changing, or even using, passwords -- are not being followed," Auditor Galloway said. "Government owes these basic protections to the citizens they serve."

As part of each audit that found cybersecurity problems, Auditor Galloway made recommendations for the local governments to help protect electronic data. The recommendations, also given in the summary released today, include:

• Limiting user access rights to only what is necessary for job duties and responsibilities;
   
• Promptly deleting user access following termination of employees;
   
• Periodically reviewing user access to data;
   
• Ensuring passwords are periodically changed, are adequate for security, and that unique accounts and passwords are required for access;
   
• Putting controls in place to lock computers after inactivity or unsuccessful log-on attempts;
   
• Storing backup data in a secure off-site location and testing the backup data on a regular basis;
   
• Ensuring data integrity and audit trail controls are in place to allow for proper accountability of all transactions; and
   
• Restricting the timeframe for making changes to data and ensuring that the audit trail of changes is prepared and viewed for accuracy.
   

Since taking office, Auditor Galloway has made cybersecurity a priority across all levels of government. She was honored by the Center for Digital Education for her Cyber Aware School Audit program, which was designed to increase safeguards against unauthorized access to student records and information. She successfully pushed for cybersecurity protections for Missouri students and their families in an education bill that was signed into law this summer. Passage of the school cybersecurity bill comes after she completed five school district audits focused on cybersecurity and went to 12 Missouri schools to recognize districts that had proactively implemented parental notification policies when student data was compromised. The law will take effect Aug. 28, shortly after the beginning of the new school year.

"Our public schools are entrusted with data from students and their families and like any sensitive information, it must be safeguarded," Auditor Galloway said. "For the first time ever, parents across Missouri will have the right to know when there are cybersecurity breaches at their schools so they can take any necessary actions."

The complete report on information security controls in Missouri local governments and courts is available here.

For more information, contact: 

media@auditor.mo.gov