State Auditor Nicole Galloway today released a summary of the most common cybersecurity risks found by her audits of local governments and courts, along with recommendations those agencies can follow to better safeguard data. Inadequate security controls — and, in some cases, even the lack of controls — put government electronic data at risk of hacking and theft, Auditor Galloway said.
“Our audits uncovered numerous gaps in cybersecurity that compromise the safety of government data,” Auditor Galloway said. “These were often as basic as changing, or even using, computer passwords. Government officials have a responsibility to the citizens they serve to ensure appropriate cybersecurity measures are in place and updated timely.”
The summary was compiled using local government and court audit reports issued between July 2019 and June 2020. Auditor Galloway’s office has released similar reports since 2015. The most common cybersecurity issues found by the audits were:
- Access – Former employees did not have their access removed promptly, and current employees had greater access to the computer system than what they needed to do their job.
- Passwords – The audits found system administrators were not requiring users to change their passwords periodically, passwords were shared by users, passwords were not required to be complex enough, and in some instances, no passwords were even required for access.
- Security controls – Computers were not set to lock after a certain period of inactivity or after a certain number of unsuccessful log-on attempts.
- Backup and recovery – Data backups were not stored at an off-site location, and periodic testing of the backup data was not being performed.
- Data integrity and tracking – Controls were not in place to guard against improper changing or destruction of data, and the systems also don’t track who is responsible for changes or how the changes were made.
As part of each audit that found cybersecurity problems, Auditor Galloway made recommendations for the local governments to help protect electronic data. They include:
- Limiting user access rights to only what is necessary for job duties and responsibilities;
- Promptly deleting user access following termination of employees;
- Periodically reviewing user access to data;
- Ensuring passwords are periodically changed, are adequate for security, and that unique accounts and passwords are required for access;
- Putting controls in place to lock computers after inactivity or unsuccessful log-on attempts;
- Storing backup data in a secure off-site location and testing the backup data on a regular basis;
- Ensuring data integrity and audit trail controls are in place to allow for proper accountability of all transactions; and
- Restricting the timeframe for making changes to data and ensuring that the audit trail of changes is prepared and viewed for accuracy.
The complete report on information security controls in Missouri local governments and courts is available here.