Cyber security is one of those things that most people and businesses don’t ever get around to doing – until they get hacked or their hard drive fails or a disgruntled former employee deletes important files.
The risks of all of those things and plenty more dangers that lurk in the electronic world cannot ever be eliminated, but they can be mitigated through proper planning.
According to a state auditor’s report issued this week, Mississippi is failing in many respects to take those preventative steps for cyber security.
State Auditor Shad White said in a news release that his office sent surveys to 125 state agencies, boards, commissions and universities to gauge their compliance with a state law called the Mississippi Enterprise Security Program. Out of that total, 54 of the institutions (43 percent) did not respond.
Of those 71 agencies that did fill out the survey, significant problems were found. Thirty-one percent had not had a third-party security risk assessment performed within the past three years, as state law requires, and 38 percent don’t encrypt sensitive information.
It’s likely, too, that those numbers are actually higher because the state bodies that didn’t respond are probably following proper cyber security measures at a lower rate than those who did.
So far, there haven’t been any significant problems disclosed from such lax procedures, but the potential threat is very real. Just ask companies like Target, Capital One, Facebook, Marriott, Under Armour, Home Depot, JP Morgan Chase and multitudes of others who have lost untold millions of dollars as a result of data breaches. This is an issue that state government needs to take seriously.
“Many state agencies are operating as if they are not required to comply with cyber security laws, and many refused to respond to auditors’ questions about their compliance. … Mississippians deserve to know their tax, income, health or student information that resides on state government servers will not be hacked,” the auditor’s report said.
White, who has brought a newfound zeal to the auditor’s office since being appointed last year, offers some common-sense advice about what security measures to take. For example, the auditor’s office got the U.S. Department of Homeland Security to try to hack the auditor’s system to test for vulnerabilities, and employees are trained to spot phishing attempts, where fraudulent emails try to lure employees into letting hackers in.
Leaders of other state agencies should take heed, and the auditor’s office should keep the pressure up to make sure they comply with laws that are already on the books for good reason. Any headaches associated with preventative planning are far less than what the costs are going to be when an inevitable hack happens if proper security isn’t in place.
Charlie Smith is editor and publisher of the Columbian-Progress in Columbia, Mississippi.