Local governments make common cyber mistakes, auditor finds
Connecting state and local government leaders
A Missouri state auditor identified key problem areas and solutions that local governments must address to protect against cyber threats.
Local government still has room to improve its cybersecurity practices—especially user access management and authentication, security controls and backup and recovery, according to Missouri State Auditor Nicole Galloway.
A report released Nov. 30 compiled audits of local governments and courts conducted between July 2021 and June 2022. It detailed common issues with information security controls and highlighted that poor password and computer security, a lack of data backups and employees’ unrestricted access to computer systems made local government’s electronic data vulnerable to hacks, theft and other risks.
To stave off potential cyber threats, the report recommended local governments and courts require employees to change passwords periodically and limit password sharing. It also noted the importance of complex passwords with a required minimum number of characters to thwart outsiders’ attempts of guessing an employee’s information. Otherwise, accounts with simple, unchanged passwords are more likely to be compromised.
Routine data backups and off-site storage are other practices local governments and courts should consider. When data is not backed up periodically, critical data may not be recoverable following a “disruptive event” the audit findings stated. Storing backups at an off-site location and testing functionality is another way to protecting electronic data. The report also suggested governments have a “disaster recovery plan” in place and review it regularly.
Another area local government can improve is cracking down on employees’ system access. Employees should only have access to files that are relevant to their job responsibilities and needs, the report said, and former staff members’ access should be disabled. This “excessive” access may open the door for users’ improper activity with sensitive information to sabotage or impair operations, whether intentional or deliberate, the report stated.
Furthermore, the report found that some local government systems did not have security controls in place that would lock the computer after numerous failed login attempts or extended inactivity. Without these precautions, bad actors’ attempts to gain access could be unlimited, raising the risk of sensitive data being compromised, the report noted. Also, local governments should use antivirus protection software to safeguard against “malicious code” that could weaken a system’s integrity.
"Government faces the same cybersecurity challenges as the private industry, except that it's taxpayer resources that are put in danger of being lost, misused or stolen when security controls are inadequate," Galloway said in a statement. "Public entities must be proactive and vigilant when it comes to cybersecurity."
NEXT STORY: Ohio to offer CMMC cyber coaching