government agencies in Missouri can avoid common mistakes and take several
steps to safeguard electronic data from hacking, theft and other disruptions, State Auditor Nicole Galloway said. The Auditor today released her annual
summary of the most common cybersecurity risks found by her audits of local
governments and courts, along with recommendations those agencies can follow to
better safeguard data.
security controls are inadequate -- or even non-existent -- electronic data can
be put at great risk," Auditor Galloway said. "Local governments,
courts and school districts face the same cybersecurity challenges as
businesses, except that it's taxpayer resources that are put in danger of being
lost, misused or stolen. There are proactive measures public agencies can take,
and my office has provided several recommendations for better protection."
The summary was compiled using local
government and court audit reports issued between July 2020 and June 2021.
Auditor Galloway's office has released similar reports since 2015. The most
common cybersecurity issues found by the audits were:
- Access - Former employees did not have their access
removed promptly, and current employees had greater access to the computer
system than what they needed to do their job.
- Passwords - The audits found system administrators were not
requiring users to change their passwords periodically, passwords were
shared by users, and passwords were not required to be complex enough.
- Security controls - Computers were not set to lock after a certain
period of inactivity or after a certain number of unsuccessful log-on
- Backup and recovery - Data backups were not stored at an off-site
location and periodic testing of the backup data was not being performed;
one audit found that the local government did not have a plan in place to
allow computer systems to be quickly restored in case of a disaster
- Data management and integrity - The audit of one school
district found insufficient controls to safeguard attendance data, leaving
it at risk of improper changes and being inaccurately reported; another
audit found a cybersecurity risk because network access logs were not
always maintained or monitored.
- Limiting user access rights to only what is
necessary for job duties and responsibilities;
- Promptly deleting user access following termination
- Periodically reviewing user access to data;
- Ensuring passwords are periodically changed, are
adequate for security, and that unique accounts and passwords are required
- Putting controls in place to lock computers after
inactivity or unsuccessful log-on attempts;
- Storing backup data in a secure off-site location
and testing the backup data on a regular basis;
- Ensuring data integrity and audit trail controls are
in place to allow for proper accountability of all transactions; and
- Restricting the timeframe for making changes to data
and ensuring that the audit trail of changes is prepared and viewed for
As part of each audit that found
cybersecurity problems, Auditor Galloway made recommendations for the local
governments to help protect electronic data. They include:
complete report on information security controls in Missouri local governments
and courts is available here.