Nicole Galloway says it’s often way too easy for computer hackers to get access to what otherwise should be uncompromisingly secure data.
The Missouri auditor has been trying to make it harder.
Since Galloway’s appointment to the post in the spring of 2015, she said she has made cybersecurity a top priority and she and her office have been working to sniff out weak spots in state and local government and school districts’ data security practices.
“We want to be able to interact with government using technology,” Galloway said. “People would be frustrated if the only way to pay a bill was to go to the courthouse and write a check. Being able to pay bills online is a convenience, but with that convenience comes the possibility of data breaches.”
Data theft has, indeed, reached record levels. According to Identity Theft Resource Center, there were 783 data breaches last year. The Federal Trade Commission recorded 332,646 identity theft complaints. All forms of fraud, including identity theft, cost Americans about $1.7 billion in 2014, or an average of more than $2,000 per incident.
Most people are aware of high-profile breaches that grab headlines. Criminal hackers last year broke into Anthem’s servers and stole more than 37.5 million records that contained personally identifiable information. Target’s famous security breach in late 2013 exposed 40 million customer debit and credit card accounts.
But it also happens in governmental sectors, affecting city halls, county and state offices and in school districts across the country, Galloway said, adding that “this is not just a conversation that needs to be going on in boardrooms.”
In the past 10 years or so, more than 250 schools have also had cyber breaches, several of them in Missouri. In 2014, the Park Hills School District informed more than 10,000 district employees about a data security breach when a former district employee posted secure data on the internet.
Last year’s massive data breach at the federal Office of Personnel Management compromised the personal information of more than 22 million people, affirming that the government is no more immune to breaches than the private sector.
“This is not something that’s abstract,” Galloway said. “It’s happening and it happens here.”
To do her part to combat the growing problem for residents in Missouri, Galloway announced the launch of a cybersecurity audit initiative in Missouri schools in September, one that has focused on identifying practices that improve the security of information that schools have on students and their families.
Galloway and her team of auditors added different procedures to look at security and the protection of data. She said her office has already seen results. For example, in October, Galloway released a cybersecurity audit of the Missouri Student Information System used by the Department of Elementary and Secondary Education, or DESE. The audit found DESE unnecessarily collected and retained personally identifiable information, including Social Security numbers, from school districts across the state.
“Any time you collect a social security number in a spreadsheet or electronic form and then maintain it at a statewide level, there’s an opportunity for it to fall into the wrong hands,” Galloway said. “Because of our audit, DESE has stopped this practice. It shows it is a priority in this office.”
In March, Galloway released the first in a series of cybersecurity audits of school districts. Several of those audits, which have continued since, have raised concerns with data protection practices and all included recommendations to improve the security of student information and records.
In one school district, the audit found that the district did not have an appointed security administrator, and had not properly secured sensitive technology hardware to prevent data theft or access by unauthorized users. The audit also identified concerns with a number of basic data security controls, including password change requirements, staff access to a computerized systems, and monitoring of security logs to identify and address cyber threats for investigation.
She and her auditors also dig into cybersecurity practices when they audit governmental agencies. When audits are done in cities, counties or other state bureaucracies, Galloway said she also finds, over and over, that there are simple things that such agencies are not doing to protect information. In some cases, systems don’t have something basic enough as a password so that anyone can get in and gain access to the information, she said.
“Government employees have access to information they need to do their job,” Galloway said. “But too much access is too much vulnerability. Having data back ups or system locks or user restrictions are just some simple things that can prevent a lot of vulnerability.”
And the good news for taxpayers, Galloway said, is that many of her recommendations are simple fixes that require no cost, such as requiring a password change, implementing a system back-up or creating a data breach response policy.
“These are low-hanging fruit for them to take advantage of,” Galloway said. “People see that when we’re auditing them, here’s there opportunity to fix the problem.”