County & Local

Missouri auditor finds cyber hygiene lapses across local governments

A compilation of 11 audits of local governments and courts found common lapses in cyber hygiene, including weak password practices and a lack of backups.

By Ryan Johnston

October 19, 2021

(Getty Images)

Local governments in Missouri should take steps to improve their cybersecurity postures, according to a report published Monday by Missouri State Auditor Nicole Galloway.

The report is a compilation of 11 audits conducted between July 2020 and June 2021 on the cybersecurity practices of certain school districts, courts, counties and cities in Missouri. Galloway’s new publication offered cybersecurity recommendations to each organization in response to each individual audit, but also found several common mistakes across the 11 local reviews, including not changing passwords regularly, not backing up data securely and not locking computers after unsuccessful log-in attempts.

The lack of basic cyber hygiene puts local agencies at risk for “hacking, theft and other disruptions,” Galloway’s office said in a press release, something Missouri has dealt with on a statewide level recently. An employee at Missouri’s school pension authority had their email accessed by an unauthorized individual last month, the St. Louis Post-Dispatch reported on Tuesday. The Post-Dispatch also reported last week that the social security numbers of more than 100,000 K-12 educators and administrators were available online through a vulnerability in the Missouri Department of Elementary and Secondary Education website, a discovery that led Gov. Mike Parson to issue a legal threat against the paper and its reporter.

“When security controls are inadequate — or even non-existent — electronic data can be put at great risk,” Galloway said in a press release. “Local governments, courts, and school districts face the same cybersecurity challenges as businesses, except that it’s taxpayer resources that are put in danger of being lost, misused, or stolen. There are proactive measures public agencies can take, and my office has provided several recommendations for better protection.”

The summary concluded that local agencies should prioritize testing backup data regularly and storing it in off-site locations, as well as ensuring that changes to their data and digital environment are properly documented, so there can be accountability if something goes wrong.