Learning from our mistakes must be a big part of any takeaway from the massive security breach at the state Department of Revenue.
A very chilling report released Tuesday on computer security management statewide shows we have a lot of work to do.
The people in charge of computer security management at state agencies gave their systems very low grades. On a scale of one to five, with five being high and one being very low, 15 of 18 chief information officers rated statewide information security as either low or very low.
Inspector General Patrick Maley said one information officer rated cyber security at state agencies this way "2 on a good day."
Another was quoted in the report as saying, "What scares me is what I don't know."
What we need, Maley said, is centralized computer security management, ending the practice of state agencies running their own security systems.
"This decentralized approach prevents the state from understanding, let alone managing, statewide (information security) risk, which creates potentially negative consequences for all of state government," the report states.
As with many things in South Carolina government, the situation that has existed makes little sense. The state's Division of State Information Technology provides computer system services at a cost to other agencies, but the agencies are not required to use them. The Department of Revenue did not even use the division's free network monitoring system.
The report recommends hiring a chief information security officer and a consultant to help install the system. Agencies would run their own computer security networks but with a set of standards to met. Until then, the state should name an interim head of computer security and create a steering committee to push for stricter information security measures.
No price tag was put on a new, centralized security system, but can we afford not to put one in place? It would have to cost less than what we're paying now and into the future for the loss of critical data affecting 6.4 million individuals and businesses.
We've already been told that a $25,000 password system would have prevented the breach.
There also may be other lessons to learn. That's why the full report from Mandiant, the company paid $700,000 to find out how the security breach happened, should be as open as possible. The fact many key players didn't know that a report released last month wasn't the full report bodes ill.
We realize some parts of that report probably shouldn't be disclosed publicly for security reasons, but sensitive information can be redacted. A publicly funded report on a very public matter should not be hidden. Gov. Nikki Haley's administration is wrong to say it won't release the report. Haley's spokesman said they were heeding the advice of Mandiant. That's not good enough.
At the very least, as state Sen. Tom Davis of Beaufort says, the Department of Revenue should have to provide a much more detailed explanation for why it is withholding the report.
"There has to be an extremely high threshold to justify withholding information that is clearly in the public interest," Davis said.
Sen. Kevin Bryant of Anderson, co-chairman of a committee looking into the breach said, "If it's simply embarrassing information, then I still think the people of the state need to know."
Restoring public confidence also is an important part of the work to be done. The way the full Mandiant report is being handled does not do that.