As a CPA and certified fraud examiner, Nicole Galloway has been keeping an eye on government. In her current role as the Missouri state auditor, she acts as the independent watchdog who holds government accountable and uses the audit process to shine a spotlight on issues that should be addressed, including cybersecurity.
“I’m passionate about an opportunity to really create change, to make government serve its citizens better,” Galloway said.
Since she took office in April 2015, Galloway has incorporated cybersecurity checks into audits and specifically addressed cybersecurity in audits of school districts and the Missouri Department of Elementary and Secondary Education. Throughout this process, she has set out to raise awareness about the importance of cybersecurity and provide guidance to government entities that may not have a dedicated information security team, IT staff or resources to tackle this issue.
Recommendations from the audit reports identify simple, low-cost practices that will prevent government entities from spending millions of dollars after a security breach and help them avoid public embarrassment. For example, schools should require users to change computer passwords regularly, establish a comprehensive data governance program, and train employees on security and privacy.
Sometimes, government agencies need a fresh eye to look at the systems they put in place decades ago and find potential vulnerabilities, Galloway said. In an audit of the Missouri student information system, her office found that the state education department collected Social Security numbers that it no longer needed. After the audit, the department agreed to stop collecting that information.
“That is a direct result that decreases the risk and vulnerability to families and students, and it highlights to others that this is something we may need to pay attention to,” Galloway said.
For Galloway and every other family with kids in school, this issue is personal. She doesn’t want to have to worry about what would happen if someone stole her 5-year-old son’s Social Security number.
Moving forward, Galloway’s team plans to finish the last of five Cyber Aware School Audits by the end of the year. After analyzing common problems in the five school districts, she will work with education associations in the state to help train schools about both simple and more complicated ways to make their systems more secure. —Tanya Roscorla