Kansas City Employee Cell Phones Could Expose City To Hacks, Audit Finds
Even at the city level, officials are worried about cyber security threats.
A Kansas City, Missouri, audit released Tuesday studied risks related to cell phones and tablets used for city business. And although the findings weren't terrible, there's still a lot of room for improvement.
The city owns over 750 smartphones and tablets used by employees for city business. Another 230 employees use personal phones and tablets for city business.
"What we found was that although the city has a number of mobile device security policies, it is lacking some critical policy requirements to mitigate mobile security vulnerability," says City Auditor Doug Jones.
Those policy requirements include updates to the operating systems, disabling location services when they're not in use, reporting lost devices to IT immediately and encrypting data stored on tablets.
Additionally, the audit found that many employees weren't even following the security policies that are already in place, like requiring a passcode to access all mobile devices used for city business and disabling Bluetooth when the function is not in use.
These requirements may seem straightforward, but many city employees who use city-owned devices also use them as their personal cell phones. So something as simple as turning off Bluetooth or location services when they're not in use could be a hassle. A hassle that, ultimately, is worth it, says Jones.
But some measures are easy to follow, like always updating your operating systems. These updates generally fix smaller errors.
"Those are the types of things that hackers can exploit are those vulnerabilities or those system errors," Jones says.
Other easy recommendations? Don't download apps from untrustworthy, third-party app stores and don't connect to unknown WiFi networks or hotspots.
The auditor also recommended the city invest in mobile device management software, which helps enforce these security features.
That kind of software has a price tag of about $59,000 a year, but Jones says that isn't that much, considering it can cost thousands of dollars to investigate and remediate just one device that's been compromised.
This is the latest in a series of IT-related audits the office has conducted in recent years. Jones says these kinds of audits will become more common, as the risk for data breaches grows.
"Cyber security and cyber risks, that's one of the highest risks areas right now for any entity that has these pieces of equipment. Data is everywhere and it's being used by every type of organization," Jones says.
Lisa Rodriguez is a reporter for KCUR 89.3. Connect with her on Twitter @larodrig.