Local governments and courts lack even some of the most basic electronic data protections, the Missouri state auditor found.
On Monday, State Auditor Nicole Galloway released her annual summary of the most common cybersecurity risks identified through audits of local governments and court systems.
Based on 11 audits between July 2020 and June 2021, Galloway found common risks related to user access, passwords, security controls, backup and recovery data, and data management and integrity.
"When security controls are inadequate - or even non-existent - electronic data can be put at great risk," Galloway said in a news release. "Local governments, courts and school districts face the same cybersecurity challenges as businesses, except that it's taxpayer resources that are put in danger of being lost, misused or stolen. There are proactive measures public agencies can take, and my office has provided several recommendations for better protection."
In terms of user access, Galloway's summary found access to certain systems has not been adequately restricted to the necessary personnel.
With additional personnel able to read or write files, there is an increased risk of unauthorized changes to records, transactions being deleted or voided, and data or records being lost or stolen.
Additionally, the report found supervisory reviews of users within a system have not been performed in some areas.
That can lead to another common risk found within Missouri's local governments and courts: terminated employees maintaining access to systems.
"Without effective procedures to remove access upon termination, former employees could continue to have access to critical or sensitive data and records, which increases the risk of the unauthorized use, modification, or destruction of data and information," the summary report states.
These user access risks were found in four of the 11 government entities that were audited.
In her report, Galloway suggested limiting system access to only the employees who would require access for their job responsibilities and removing a user's access upon termination.
Passwords not being changed periodically, users sharing passwords and passwords not being required to possess a minimum number of characters are also issues within Missouri's local governments and courts.
"Without strong user account and password controls, including maintaining the confidentiality of passwords, the likelihood that accounts could be compromised and used by unauthorized individuals to gain access to sensitive information is increased," the report states.
Password issues were found in eight of the 11 audited government entities.
Galloway's recommendations include changing passwords periodically, requiring unique user accounts and passwords to access computers and data, and requiring passwords contain a minimum number of characters to avoid being easily guessed.
Computers and systems not locking after a period of inactivity or a certain number of unsuccessful attempts are additional security control issues found among the audits.
Without controls to lock an inactive computer or lock a system after unsuccessful attempts to access leaves local governments and courts more vulnerable to unauthorized use of computers and modification or destruction of data.
A lack of security controls was found in four of the 11 audits.
Galloway suggested local governments and courts ensure the inactivity and multiple attempts security controls are implemented.
She has also suggested local governments and courts store backup data in a secure, off-site location, regularly test backup data and develop a formal contingency plan to ensure operations continue in the event of a disaster or disruption - which wasn't done by at least three of the local governments that were audited.
"Without storing backup data at a secure off-site location, critical data may not be available for restoring systems following a disaster or other disruptive incident," the report states.
The remaining cybersecurity risks were related to data management and integrity.
Galloway's audit summary found a school district's attendance system didn't limit when changes could be made to data and there was no review process to ensure data changes are appropriate.
"Without limiting the time frame during which changes can be made or reviewing changes made, data is subject to erroneous changes that may significantly affect the reliability of official attendance reports," the report states.
Additionally, Galloway's audits discovered the network access log of at least one county government hadn't been maintained.
Without a method of tracking security-related events, the local government is at an increased risk of undetected and unauthorized system activity, according to Galloway's report.
She suggested local governments put system integrity controls - like network access logs - in place and restrict the time frame for making data changes.
Galloway's office has been issuing similar cybersecurity risk reports since 2015.
"Since taking office, Auditor Galloway has made cybersecurity a priority across all components of government, including incorporating reviews of compliance with data security standards and best practices into the standard audit process and launching a Cyber Aware School Audit program as part of an ongoing emphasis on data protection practices and keeping Missourians' information secure," said Eric Slusher, communications director for the Auditor's Office.
Galloway's work to improve student data security in Missouri schools caught the recognition of the Center for Digital Education in 2016, when she received a Top 30 award.