Connecting state and local government leaders
Inadequate password controls and granting employees too much access to information are some of the issues pinpointed.
Having lax computer password requirements in place is one of the top cybersecurity mistakes within Missouri local governments, according to a new review from the state auditor’s office.
The office of Auditor Nicole Galloway last week issued a summary of the most common cybersecurity slipups found in local government audits that had been released between July of last year and this June. Staff in Galloway’s office looked at 33 audit reports from that time period, which covered cities, counties, courts, school districts and a college.
In addition to poor password practices, the review pointed to oversights related to other protections meant to limit computer system access, as well as inadequate controls for tracking who has altered or destroyed data. There were also problems related to backing up information.
Lapses of the sort highlighted in the review have the potential to be exploited by mischief-makers, cyber-criminals and others looking to extend Missouri’s unofficial nickname—“The Show-Me State”—to the sensitive digital information that local public agencies control, such as records for taxpayers and students.
“Despite the increasing awareness of threats to data security across all levels of government, my review found there are still some very basic security measures that have not been implemented,” Galloway said in a statement last week.
Password problems were found in 20 of the reviewed audit reports. These included not requiring passwords to be regularly changed, allowing them to be shared between employees, and maintaining computer systems that simply did not have any password protections in place.
Meanwhile, 15 audit reports documented shortcomings related to computer access rights and privileges for employees. These dictate which parts of a computer system an employee can get into, and what they can do once they’re there. The review stressed that these rights and privileges should be limited based on a person’s job responsibilities.
Seven reports found instances of computers that did not block people from using them after the machines had sat idle for a while, or after repeated unsuccessful login attempts.
Another seven discovered problems with data backups and recovery. For instance, data was not being backed up routinely in secure, offsite locations, or tests were not being conducted to see if data lost during a disaster or disruption could be restored.
And, finally, four audits found fault with local government data management practices, which included not having controls in place to prevent improper changes to information, as well as not having methods for tracking who had changed or deleted data.
The threat of cyberattacks at the local level is real.
Just last week across the state line in Kansas, Wichita’s public school system was hit with a hacking attempt. And last Friday, in Utah, Salt Lake City School District phone and computer systems were overwhelmed by a cyberattack that inundated them with thousands of illegitimate requests. School officials have said no student or parent data was taken.
In Missouri, the city of Springfield’s website was breached in 2012, and personal information for about 2,100 local residents was compromised. A 22-year-old later pleaded guilty to that hack, as well as others, and received a three-year federal prison sentence.
“People have a right to expect their government will keep their information private and secure,” Galloway said. “This is an area that all government organizations must take seriously.”
Bill Lucia is a Reporter for Government Executive’s Route Fifty.