Local government agencies in Missouri can avoid common mistakes and take several steps to safeguard electronic data from hacking, theft, and other disruptions according to a cybersecurity review published by Missouri Auditor Nicole Galloway.
The Auditor released her annual summary of the most common cybersecurity risks found by her audits of local governments and courts, along with recommendations those agencies can follow to better safeguard data.
“Government faces the same cybersecurity challenges as the private industry, except that it’s taxpayer resources that are put in danger of being lost, misused or stolen when security controls are inadequate,” Auditor Galloway said. “Public entities must be proactive and vigilant when it comes to cybersecurity.”
The summary was compiled using local government and court audit reports issued between July 2021 and June 2022. Auditor Galloway’s office has released similar reports since 2015. The most common cybersecurity issues found by the audits were:
- Access – Former employees did not have their access removed promptly, and current employees had greater access to the computer system than what they needed to do their job.
- Passwords – The audits found system administrators were not requiring users to change their passwords periodically, passwords were shared by users, passwords were not required to be complex enough, and passwords were not required at all.
- Security controls – Computers were not set to lock after a certain period of inactivity or after a certain number of unsuccessful log-on attempts. Antivirus protection software was not installed on computer systems.
- Backup and recovery – Data backups were not periodically made, stored at an off-site location, or periodically tested; one audit found that the local government did not have a plan in place to allow computer systems to be quickly restored in case of a disaster situation.
As part of each audit that found cybersecurity problems, Auditor Galloway made recommendations for the local governments to help protect electronic data. They include:
- Ensure user access rights are limited to only what is necessary to perform job duties and responsibilities;
- Ensure user access is promptly deleted following termination of employment;
- Ensuring passwords are periodically changed, are adequate for security, and that unique accounts and passwords are required for access;
- Ensure users understand the importance of maintaining the confidentiality of passwords;
- Putting controls in place to lock computers after inactivity or unsuccessful log-on attempts;
- Ensure computers and systems are adequately protected from computer viruses;
- Ensure data is regularly backed up, stored in a secure off-site location, and tested on a regular basis; and
- Develop a formal disaster recovery plan and periodically test and evaluate the plan.
The complete report on information security controls in Missouri local governments and courts is available here.
(Missourinet contributed to this article)