(From State Auditor Nicole Galloway)
Missouri State Auditor Nicole Galloway has released a list of the top five most common data security mistakes made by local governments. The list was compiled based on a summary of reports issued over a one-year period in order to provide awareness to local governments and to assist them in preventing these common mistakes in the future.
“This report shows Missouri's local governments still have work to do to improve the security of data in their possession. Many of the corrective actions outlined in this report have little to no cost associated with implementing them, especially when you consider the cost and resources required by an organization after a data breach has occurred," Auditor Galloway said. "From restricting access to only staff who need it to ensuring all computers and systems are properly password protected, it's my hope local leaders and officials will review these common findings and take action to secure their systems."
The report examines how well local government agencies and officials comply with many routine data security practices, and highlights the following five common cybersecurity issues:
1. Passwords- Employees share computer system passwords, are not required to change their passwords regularly, or, in some cases, do not have passwords.
2. Access- Employees have access to more parts of government computer systems than they need to perform their jobs.
3. System locks- Systems do not lock access to the computer after a certain amount of inactivity or specific number of incorrect password attempts.
4. Data backups- Data is not backed up on a regular basis, is not stored in a secure off-site location, or is backed up but is not tested regularly to ensure it can be restored.
5. User restrictions and tracking- Protections are not in place to prevent inappropriate edits or system changes, or systems don't track who is responsible for the changes.
The list was compiled based on local government and court audits completed between July 2015 and June 2016. A similar report was released last year. For the second year in a row, password protection concerns topped the list, and none of the findings from the previous year dropped off.
"Citizens provide information to government for many legitimate reasons, but they also have a right to expect that information will be kept secure. Although there is increasing awareness of data security threats that currently exist, and new ones being identified on a regular basis, this report shows there are still some very basic actions many local governments are not taking to properly safeguard this information," Auditor Galloway said.
The complete report is available here.
Since taking office, Auditor Galloway has made cybersecurity a priority across all components of government, including incorporating data security reviews into the standard audit process and launching a Cyber Aware School Audit program as part of an ongoing emphasis on data protection practices and keeping Missourians' information secure. A separate summary report of the most common concerns identified through the course of the Cyber Aware School audits will be released later this month.