CLEVELAND — The Ohio Auditor of State sent a scathing assessment of the city's cybersecurity practices to Mayor Justin Bibb, the Cleveland City Council and the Audit Committee.
The letter stated that the city had failed to implement basic security controls to prevent cyberattacks.
A cyberattack shut down the Cleveland Municipal Court and the Cleveland Housing Court earlier this year.
Watch more about the cyberattack:
RELATED: Cleveland Municipal Court reopens after cyber attack
Another cyberattack shut down Cleveland City Hall last year.
The auditor wrote, "The City has a formal cyber security policy; however, the enforcement of the policy was not consistent across all City departments."
To reduce the risk of further cyber attacks, the auditor wrote, "The City should establish a cybersecurity awareness training program for all network users."
The letter also said the city was "not reviewing security reports on a regular basis," and the Cleveland Municipal Court and the Department of Public Utilities did not have Multifactor (MFA) authentication policies in place.
Multifactor authentication (MFA) is a process where a user must provide two or more verification factors to gain access to a system.
"It really looks like there's some very basic foundational things that are not in place," Alex Hamerstone, Advisory Solutions Director, Trusted Sec.
The cybersecurity expert stated that the auditor's letter indicates significant and serious gaps in Cleveland's cybersecurity practices.
"You would never think to not have multifactor authentication in place," Hamerstone said. "It's a basic security control.
"If you look at really the effectiveness of a control like that, it's very effective. It's not foolproof, but it's one of those things, it's like seatbelts at this point."
Hamerstone said municipalities have a responsibility to manage and secure their systems and data.
"I really think that anything in the public sector really has a higher standard," he said. Because people cannot choose to not give you their data."
The City of Cleveland and the Cleveland Municipal Court declined our requests for on-camera interviews.
In a statement, a city spokesperson said the city is reviewing the auditor's latest report and working with the state to improve its cybersecurity practices.
A court spokesperson said the court is also reviewing the auditor's report and will provide us a response on Friday.
