Missouri's state auditor is waging a war against bad cybersecurity practices.
As high-profile breaches continue to make headlines across the country, Nicole Galloway has made cybersecurity a priority since she became the state auditor on April 27. The government lags behind the private sector in its cybersecurity practices, and Galloway has led her team of auditors on a mission to sniff out problems in school districts, local municipalities and large government agencies, including the Missouri Department of Elementary and Secondary Education (DESE).
"It's my job to hold government accountable at all levels," Galloway said. "I believe that in government, we need to proactively make sure we protect people's personal information."
Galloway is holding government accountable by incorporating cybersecurity checks into every audit as her team looks for common data protection issues. In addition, auditors finished an investigation into data security in DESE's student information system last fall, announced the start of Cyber Aware School Audits and published common issues from a year's worth of audits across the board.
Overall, the auditor's office gave DESE a "good" rating in the areas it audited, which means that the department runs well, has a few things to fix and has agreed to work on those areas by following most of the auditor's recommendations. In the student information system audit, investigators made four recommendations that DESE started acting on:
After auditors found these issues with DESE, Galloway wondered what happens with the data that the department receives from local school districts. Her son started school this year, and she filled out a stack of paperwork for the school district that included personal information about her and her son. She said she wanted to see whether school districts had safeguards in place to keep data out of the wrong hands, so she started the Cyber Aware School Audits last fall.
Auditors have completed their field work in Boonville and Waynesville school districts, plan to start their field work soon in Cape Girardeau and Park Hill school districts, and don't have a date yet for Orchard Farm School District, Galloway said.
Though Orchard Farm is last on the list, Technology Director Bill Niemeyer and his staff have been working on cybersecurity best practices and taking advantage of cybersecurity webinars from the Missouri Research and Education Network (MOREnet). MOREnet connects public-sector organizations in Missouri to the Internet and provides technical training, among other things. In the webinars, IT leaders talked about issues including backup plans for disaster recovery, security controls and password policies.
"The data that we have on our networks is very confidential, and we certainly want to protect all of the private information from students and teachers," Niemeyer said.
One question that has come up is how a district would know whether it had an intrusion. Orchard Farm School District has a three-member IT team, and the small district of less than 2,000 students doesn't have the resources to buy expensive intrusion detection systems, Niemeyer said. Because most Missouri schools use the same Internet service provider, he said it would be nice if MOREnet could work out a deal with vendors to provide these systems at a discounted rate.
In fact, another organization is already working on that: The Center for Education Safety, which is part of the Missouri School Boards' Association, has an agreement in place with DESE to support school emergency planning. Within the next few weeks, the center plans to sign an agreement with a business partner that can scan school systems to detect intrusions, said Paul H. Fennewald, the center's director. Schools would be able to take advantage of this detection tool.
In its role of educating district leaders on school safety, the center created a cybersecurity checklist with help from the FBI and the Department of Homeland Security. After Galloway announced the Cyber Aware School Audits in September, Fennewald shared the checklist with the auditor's office and asked for input so his center could help schools better prepare for the audits. Auditors told the center that the guidelines looked good, but didn't give any feedback beyond that, Fennewald said.
On a scale of 1-10, Fennewald estimates that district's cybersecurity preparedness is at a 3 or 4. In safety assessments in schools, he sees major problems with school data backups, device policies, data access, firewall strength and out-of-date virus programs. He said he's afraid that bad actors may attack school networks and delete education records, which would be catastrophic if the district's backups were corrupted.
"It's extremely important that we get ahead of this issue," Fennewald said. "We're not moving fast enough in my estimation, but I think we're moving in the right direction anyway."
In an October report, the auditor's office shared some of the common cybersecurity mistakes it saw across 33 municipalities, school districts and state agencies between July 2014 and June 2015. By sharing these mistakes, the office is giving IT leaders an opportunity to beef up their cybersecurity.
For school districts involved in the Cyber Aware School Audits, auditors will write a draft report that includes recommendations and meet with district administrators to talk about the results. This meeting gives district leaders an opportunity to correct any inaccurate information and understand the issues that the audit identified, Galloway said. It also allows them to address major security vulnerabilities together before the report is published to prevent anyone from taking advantage of the vulnerabilities. The districts will have 30 days to respond to the draft report, and their responses will be included in the final published report.
In typical audits, auditees may fix some of the issues during that 30-day window and respond that they're fixed or will be fixed, Galloway said. They also may recognize they have a problem in a specific area, but decide to address it in a different way than the auditors recommended. In rare cases, the auditee may disagree with the findings and refuse to implement them.
In April or May, Galloway said she plans to release the Boonville report, and the other reports will follow as the investigations are completed. When all five investigations end, the auditor's office will share common problems it found in school districts with the Missouri School Boards' Association so that the association can continue to educate its members on better cybersecurity practices. Then the auditor's office will start another round of audits to hold school districts accountable for their cybersecurity practices.
"For me, this is not a gotcha thing," Galloway said. "I believe in good government, and I believe that if we work together, we can create a solution and we can move the needle on this."