A recent St. Louis Post-Dispatch story uncovered vulnerable data on a Department of Elementary and Secondary Education's web application. A reporter's research found more than 100,000 Social Security numbers of Missouri school teachers, administrators and counselors were vulnerable to public exposure.
If that wasn't a wake-up call for Missouri state government to tighten its cybersecurity procedures, a new state audit should.
As we reported last week, the Missouri auditor found that local governments and courts lack even some of the most basic electronic data protections.
Each year, State Auditor Nicole Galloway releases an annual summary of the most common cybersecurity risks identified through audits of local governments and court systems.
Based on 11 audits between July 2020 and June 2021, her office found common risks related to user access, passwords, security controls, backup and recovery data, and data management and integrity.
"When security controls are inadequate - or even non-existent - electronic data can be put at great risk," Galloway said in a news release. "Local governments, courts and school districts face the same cybersecurity challenges as businesses, except that it's taxpayer resources that are put in danger of being lost, misused or stolen. There are proactive measures public agencies can take, and my office has provided several recommendations for better protection."
One problem is that access to sensitive systems isn't always restricted to necessary personnel. That leads to an increased risk of unauthorized changes to records, transactions being deleted or voided, and data or records being lost or stolen.
Another risk found was terminated employees maintaining access to systems.
Passwords not being changed periodically, users sharing passwords and passwords not being required to possess a minimum number of characters are also issues within Missouri's local governments and courts.
The audit found computer systems didn't always lock after periods of inactivity.
The audit suggested local governments and courts store backup data in a secure, off-site location, regularly test backup data and develop a formal contingency plan to ensure operations continue in the event of a disaster or disruption.
We hope the governor and the state departments take the cybersecurity risks found in the audit seriously. If not, it's only a matter of time before data is compromised or destroyed, either maliciously or accidentally.