Kentucky Auditor Adam Edelen found a dozen issues with the state’s cyber security efforts in the 2011-12 fiscal year—and he’s vowing to closely monitor the state’s measures in that area in the coming months.
The findings were reported in Edelen’s statewide audit, in which he gave the state an “unqualified or clean” opinion of the state’s finances.
But in a statement, Edelen said he was concerned about incidents where Kentuckians’ private data could have access by outsiders, including when the Social Security numbers of more than 100 current and former state employees were publicly accessible on a website for two days.
“Agencies across state government possess extremely sensitive information about taxpayers, state employees and industry that needs to be protected from identity thieves and hackers,” Edelen said in a statement.
Edelen said he’ll be watching to see that the state is “doing everything” it can do it keep private data secure.
The Statewide Single Audit of Kentucky also found:
Potential for unauthorized access by certain state employees to bank account information related to the state’s investment holdings and social security numbers within a motor vehicle dealer listing;
Potential for unauthorized access by individuals outside state government to certain computers;
Potential for unauthorized access by certain state employees to other state workers’ health insurance data;
Excessive access by certain staff to information that could disrupt an agency’s ability to distribute and track grants.
The risk of private data being stolen or misused increases as governments collect more and more data, Roman V. Yampolskiy, director of the CyberSecurity Laboratory at the University of Louisville. Technical glitches are one problem; another concern is what cyber security experts call “social engineering,” such as phishing attacks.
Yamploskiy noted that he and his colleagues recently wrote a grant proposal that would integrate continuous biometric-based authentication into the KentuckyID system, which would reduce attacks dependent on stealing passwords.
But a fool-proof cyber security plan can be costly, Yamploskiy noted
“There is a saying—’there is no such thing as perfect security,'” Yamploskiy said. “The cost of securing data often scales exponentially with the value of said data. So while it may be possible and affordable to have an OK security level, it becomes really expensive to go to perfect or even near perfect security if a lot of sensitive data is stored.”