BCC Did Not Always Ensure That Its Employees Who Had Access to COVID-19 Funding Completed Initial Cybersecurity Awareness Training or Annual Refresher Training.

The two employees who were hired during the audit period and given access to COVID-19 funding did not complete cybersecurity awareness training within 30 days of hire, and 22 of 29 employees with access to COVID-19 funding did not complete annual cybersecurity awareness refresher training.

If BCC does not always ensure that its employees complete cybersecurity awareness training, the college is exposed to a higher risk of cyberattacks and financial and/or reputation losses.

Section 6.2 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 states,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

While reviewing this issue with us, BCC management acknowledged the importance of providing cybersecurity awareness training to all system users. They also noted several obstacles that had affected their ability to implement an effective cybersecurity awareness training program. These obstacles were associated with transitioning to a different cybersecurity awareness training provider, as well as turnover in BCC’s Information Technology Department. Additionally, BCC lacked the policies, procedures, and controls needed to administer an EOTSS-compliant cybersecurity awareness training program.

BCC should develop and implement policies, procedures, and controls to ensure that its employees with access to COVID-19 funding complete an EOTSS-compliant cybersecurity awareness training program.

The College will implement revised policies, procedures, and controls to ensure that our employees who have access to Covid-19 funding (and [Colleague]) complete an EOTSS-compliant cybersecurity awareness training program by October 2022. The following changes have been and will be implemented since the audit issues were identified. . . .

• On July 12th, the College instituted MFA (Multi-Factor Authentication) on Microsoft 365 accounts . . . and [our virtual private network] starting with staff, then a phased approach for summer enrolled students, then students returning this fall, as dictated by our cyber security insurance carrier.
• As part of our new policies and procedures, the College will introduce October as Cyber Security Month this year and going forward.
• KnowBe4 [cybersecurity awareness training software] licenses were purchased for all employees for cyber awareness and training, which will provide monthly modules as part of our developing training plan. Participation by all employees at the College will be captured and employees will be nudged to complete training in a timely manner. Requiring cyber security participation has now been agreed to state-wide at the Massachusetts community colleges with respective collective bargaining units.
• More advanced endpoint security protection was purchased through a State grant for college equipment including laptops, desktops, etc. It will be a component of our developing control plan.
• The College purchased KACE Systems Management Appliance through a state grant, ensuring all college computers have the latest security patches. This is also a component of our developing control plan.

Based on its response, BCC is taking measures to address our concerns on this matter.