Broadalbin & Perth – State auditors raised concerns about the security of online banking used by Broadalbin-Perth Central School District officials in a multi-year review, prompting the district to adopt new policies and procedures.
The auditors – which examined the district’s online bank transactions between July 2018 and January 2020, as well as its computer-use policies and practices – found that district officials created risks by failing to limit the number of computers used to access online banking, ensure adequate training or monitor whether officials with access to online banking only used their computers for business purposes.
The audit did not find that the district’s bank accounts were compromised or that any wire transfers were inappropriate, but it recommended the district school board adopt a comprehensive policy on online banking.
“District officials did not adequately monitor online banking users’ internet use for compliance with the (district policy about computer use),” according to the auditors. “We reviewed the web browsing histories of the six computers used for online banking and found that five of the six users assigned to these computers accessed websites for nonbusiness purposes that we prohibited.”
The personal computer use, which included “watching videos, browsing entertainment news, and visiting sports, social networking and email websites,” were the result of district officials not installing necessary software to filter employee internet access. The personal use of computers, according to the audit report, opened potential avenues through which malicious actors could access the district computer system and misappropriate district funds. The auditors also recommended limiting the number of computers used for the purpose of district online banking, minimizing risk exposure.
“By allowing personal use of district computers, the district has an increased risk that its network and computers will be exposed to attacks and malicious software,” the auditors wrote.
After reviewing hundreds of the district’s online banking transactions totaling $72.5 million, the auditors concluded that while the “funds were vulnerable to online theft through unauthorized access,” no funds were actually lost during the audit period.
In a formal response to the audit finding, district officials highlighted work to create a new online banking policy initiated during the audit period as well as efforts to improve training and monitoring. The district response also highlighted that no improper transactions were identified.
“Districts officials and the Board of Education are proud of the consistent efforts and continued success of our business staff,” district officials wrote in the response. “Initial development of an online banking policy is underway, the district’s acceptable use policy is under internal review, and professional development opportunities and trainings specific to IT security have already been implemented.”
District officials did resist a recommendation to isolate all online banking to a single computer, arguing that could create its own security risks and highlighting other safeguards that banks have put in place to minimize cyber threats.
“It is the opinion of the district, and of technology experts in the majority of regional school districts, that the use of a solitary dedicated computer for all online banking transactions provided only minimal security,” district officials wrote.