South Carolina needs to spend nearly $15 million next year to bolster cybersecurity in the wake of the largest hacking at a U.S. state agency, a consultant told state leaders this week.
The state needs to spend $7.3 million each year to centralize computer security at state agencies, Deloitte Consultants told the S.C. Budget and Control Board.
The 2013-14 budget approved by the state House includes $25 million for cybersecurity efforts, which includes the cost to continue provide credit-fraud monitoring for consumers and businesses hit by hackers.
South Carolina already has spent more than $20 million in response to the hacking.
The state paid Experian $12 million to provide credit fraud monitoring for a year. Nearly 1.5 million people enrolled.
Lawmakers are debating how to protect consumer in future years, including providing 10 years of free credit protection. The Budget and Control Board agreed Wednesday to seek proposals for credit-fraud protection for up to five years.
Deloitte won a three year, $3 million contract in March to provide recommendations after thieves took personal information belonging to 6.4 million' consumers and their children and businesses from the S.C. Department of Revenue in mid-September.
Deloitte's suggestions after two months of analysis were similar to those put forward by some S.C. lawmakers and other computer experts in the state when the hacking revealed that agencies had their own differing cybersecurity policies.
"There's a lack of consistency," Mike Wyatt, Deloitte's security and privacy director, told Gov. Nikki Haley and other state leaders. "With that lack of consistency, it's very tough to have security controls."
The consultants recommended appointing a chief computer security officer who would determine statewide protection rules but allow state agencies to maintain their computer networks.
"We are not disrupting agency operations," Wyatt said. "They would work in close collaboration with the security office."
Taking these steps could make South Carolina a model for state cybersecurity within five years, he said.
Deloitte suggested the security chief work with the S.C. Budget and Control Board. A bill creating a separate agency for the chief security officer that would report to the governor has passed in the Senate.
Wyatt praised the governor ordering the 16 cabinet agencies use network monitoring offered by the Division of State Information Technology as a foundation for improved security.
The revenue department has taken several steps to bolster protection of taxpayer information under a new director, Bill Blume, including limiting personal access to agency computers and more password protection. Hackers were able to enter the department's state taxpayer databases using a stolen a employee login.
Copyright 2013 - The State (Columbia, S.C.)