October 23, 2021

Missouri State Auditor Nicole Galloway

Local government agencies in Missouri can avoid common mistakes and take several steps to safeguard electronic data from hacking, theft and other disruptions, State Auditor Nicole Galloway said. The Auditor today released her annual summary of the most common cybersecurity risks found by her audits of local governments and courts, along with recommendations those agencies can follow to better safeguard data.

“When security controls are inadequate — or even non-existent — electronic data can be put at great risk,” Auditor Galloway said. “Local governments, courts and school districts face the same cybersecurity challenges as businesses, except that it’s taxpayer resources that are put in danger of being lost, misused or stolen. There are proactive measures public agencies can take, and my office has provided several recommendations for better protection.”

The summary was compiled using local government and court audit reports issued between July 2020 and June 2021. Auditor Galloway’s office has released similar reports since 2015. The most common cybersecurity issues found by the audits were:

• Access – Former employees did not have their access removed promptly, and current employees had greater access to the computer system than what they needed to do their job.
• Passwords – The audits found system administrators were not requiring users to change their passwords periodically, passwords were shared by users, and passwords were not required to be complex enough.
• Security controls – Computers were not set to lock after a certain period of inactivity or after a certain number of unsuccessful log-on attempts.
• Backup and recovery – Data backups were not stored at an off-site location and periodic testing of the backup data was not being performed; one audit found that the local government did not have a plan in place to allow computer systems to be quickly restored in case of a disaster situation.
• Data management and integrity – The audit of one school district found insufficient controls to safeguard attendance data, leaving it at risk of improper changes and being inaccurately reported; another audit found a cybersecurity risk because network access logs were not always maintained or monitored.

As part of each audit that found cybersecurity problems, Auditor Galloway made recommendations for the local governments to help protect electronic data. They include:

• Limiting user access rights to only what is necessary for job duties and responsibilities;
• Promptly deleting user access following termination of employees;
• Periodically reviewing user access to data;
• Ensuring passwords are periodically changed, are adequate for security, and that unique accounts and passwords are required for access;
• Putting controls in place to lock computers after inactivity or unsuccessful log-on attempts;
• Storing backup data in a secure off-site location and testing the backup data on a regular basis;
• Ensuring data integrity and audit trail controls are in place to allow for proper accountability of all transactions; and
• Restricting the timeframe for making changes to data and ensuring that the audit trail of changes is prepared and viewed for accuracy.

The complete report on information security controls in Missouri local governments and courts is available here.