government agencies in Missouri can avoid common mistakes and take several
steps to safeguard electronic data from hacking, theft and other disruptions
according to a cybersecurity review published by Missouri Auditor
Nicole Galloway. The
Auditor today released her annual summary of the
most common cybersecurity risks found by her audits of local governments and
courts, along with recommendations those agencies can follow to better
faces the same cybersecurity challenges as the private industry, except that
it's taxpayer resources that are put in danger of being lost, misused or stolen
when security controls are inadequate," Auditor Galloway said.
"Public entities must be proactive and vigilant when it comes to
The summary was compiled using local
government and court audit reports issued between July 2021 and June 2022.
Auditor Galloway's office has released similar reports since 2015. The most
common cybersecurity issues found by the audits were:
- Access - Former employees did not have their access
removed promptly, and current employees had greater access to the computer
system than what they needed to do their job.
- Passwords - The audits found system administrators were not
requiring users to change their passwords periodically, passwords were
shared by users, passwords were not required to be complex enough, and
passwords were not required at all.
- Security controls - Computers were not set to lock after a certain
period of inactivity or after a certain number of unsuccessful log-on
attempts. Antivirus protection software was not installed on computer
- Backup and recovery - Data backups were not periodically made, stored
at an off-site location, or periodically tested; one audit found that the
local government did not have a plan in place to allow computer systems to
be quickly restored in case of a disaster situation.
As part of each audit that found
cybersecurity problems, Auditor Galloway made recommendations for the local
governments to help protect electronic data. They include:
- Ensure user access rights are limited to only what
is necessary to perform job duties and responsibilities;
- Ensure user access is promptly deleted following
termination of employment;
- Ensuring passwords are periodically changed, are
adequate for security, and that unique accounts and passwords are required
- Ensure users understand the importance of
maintaining the confidentiality of passwords;
- Putting controls in place to lock computers after
inactivity or unsuccessful log-on attempts;
- Ensure computers and systems are adequately
protected from computer viruses;
- Ensure data is regularly backed up,
stored in a secure off-site location, and tested on a regular basis; and
- Develop a formal disaster recovery
plan and periodically test and evaluate the plan.
report on information security controls in Missouri local governments and
courts is available here.