Inspector General: Statewide computer security lacking
The state needs a comprehensive approach to dealing with cyber-security to prevent another massive breach like the one that resulted in millions of taxpayer records being stolen from the Department of Revenue.
That's one of the findings contained an interim report released Tuesday by state Inspector General Patrick Maley. The 18-page document is the result of interviews Maley's office conducted with computer specialists from 18 state agencies and a number of outside sources.
Maley found that South Carolina's government has a decentralized approach to cyber-security, with no one entity “with the authority, or responsibility, to provide leadership, standards, policies and oversight.” This puts the state at an inherent disadvantage in protecting its systems and data, the report states.
Those interviewed were in almost complete agreement that the state's current approach to cyber-security is inadequate and that a more standardized approach is needed, the report found.
The review also found South Carolina is not alone. A 2012 survey of state chief information officers around the nation determined that only 24 percent were very confident in their ability to protect information from external threats, the report states.
Among other things, the report recommends:
Establishing a statewide security program for protecting information from hackers.
Creating a chief information security officer position to lead the development and implementation of a statewide protection program.
Establishing a steering committee of experts to help with development of a security program.
Hiring an outside consultant to help the state develop a framework for enacting an improved system for dealing with hacking threats.
Maley's report comes in the wake of a massive hack at the state Department of Revenue that resulted in the theft of records of 3.8 million individual taxpayers, 1.9 million dependents, 699,900 businesses, 3.3 million bank accounts and 5,000 credit card accounts that are now expired.
Experts have warned that the information could be used to steal identities, make fraudulent purchases, raid bank accounts and more.
Cybersecurity firm Mandiant has said it thinks the breach stems from an Aug. 13 malicious email sent to multiple Revenue Department employees.
At least one of the employees clicked the link in the email, unknowingly executing malicious software and compromising the database, according to the company.
The two central faults in the attack, Gov. Nikki Haley has said, were that the Revenue Department didn't have dual verification to get into its system, and that Social Security numbers were unencrypted.