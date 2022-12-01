(The Center Square) – Local governments can safeguard electronic data from hacking, theft and other disruptions by focusing on four areas, according to a report published by Missouri Democrat Auditor Nicole Galloway.
However, one area not addressed in Galloway's report was auditing or reviewing how data is available through public-facing websites. Last year, a journalist discovered personal information of educators was available when viewing the HTML code on Missouri's Department of Elementary and Secondary Education (DESE) website.
Missouri Republican Gov. Mike Parson launched a criminal investigation over the incident, stating the action was a "hack" and would cost the state $50 million. Margie Vandeven, Commissioner of Education, apologized, pledged to resolve the situation and spent approximately $800,000 for free credit and identity theft monitoring for 620,000 past and present certified teachers.
Cole County Prosecutor Locke Thompson declined to press charges, stating "the issues at the heart of the investigation have been resolved through non-legal means."
"Government faces the same cybersecurity challenges as the private industry, except that it's taxpayer resources that are put in danger of being lost, misused or stolen when security controls are inadequate," Galloway said in a statement announcing the report. "Public entities must be proactive and vigilant when it comes to cybersecurity."
Andrew Bailey, Parson's chief legal counsel who was selected to be Attorney General last week, quoted the Missouri Statute when addressing the "hack" as he answered questions from reporters after being introduced as the replacement for U.S. Senator-elect Eric Schmitt.
"…the revised statutes of Missouri says that unauthorized access, conversion and theft of state data is a crime," Bailey said. "I would discourage anyone from violating that statute."
In the report's cover letter addressed to Parson and the General Assembly, Galloway stated the "objective of this report was to summarize recent information security control issues and recommendations." The summary was compiled using local government and court audit reports issued by her office between July 2021 and June 2022. Findings from 16 audits were noted in the report. It found the most common cybersecurity issues found by audits were:
Access: Former employees didn't have their access removed promptly and current employees had greater access to information than what they needed for their job.
Passwords: System administrators were not requiring users to change their passwords periodically, passwords were shared by users, passwords were not required to be complex enough and passwords were not required at all.
Security controls: Computers were not set to lock after a certain period of inactivity or after a certain number of unsuccessful login attempts. Antivirus protection software was not installed on computer systems.
Backup and recovery: Data backups were not periodically made, stored at an off-site location, or periodically tested. One audit found a local government didn't have a plan to quickly restore computer systems in case of a disaster situation.
The report gave eight recommendations for local governments to help protect electronic data, but didn't include auditing or reviewing data accessible through public-facing websites.
In October, Galloway gave the Missouri Conservation Department its second-highest rating on its four-level scale after auditing its data security.