BHCC Did Not Implement an Enterprise-Wide Cybersecurity Awareness Training Program.

BHCC did not implement an enterprise-wide cybersecurity awareness training program for personnel and, where relevant, contractors and temporary staff members. Without an enterprise-wide cybersecurity awareness training program, BHCC is exposed to a higher risk of cybersecurity attacks that may result in financial and/or reputation losses.

According to Section 6.2.1 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, an entity must do the following:

Implement an enterprise-wide information security awareness and training program.

6.2.1.1  Develop appropriate training materials in collaboration with [the entity’s] Human Resources and Legal.

BHCC officials stated that when they sent notices to employees about the mandatory cybersecurity awareness training, the unions represented at BHCC delayed the deployment of the training. BHCC and the unions could not come to an agreement on compensation for the training.

1.    BHCC officials should implement an enterprise-wide cybersecurity awareness training program.

2. BHCC officials should negotiate with union officials to establish cybersecurity awareness training requirements for personnel and, where relevant, contractors and temporary staff members.

Data security has been and continues to be a top priority at Bunker Hill Community College. Cybersecurity training is a key component to the security strategy. However, Bunker Hill did not deploy [cybersecurity awareness training] during the audit period despite the purchase of KnowBe4 Security Awareness Training platform. When notices went out that BHCC would begin security training both [unions] initially balked at mandatory trainings. The rationale was potential compensation, whether staff would be evaluated on training outcomes and other factors.

[The] Chief Information Officer; . . . Chief Information Security Officer / Director of Network Operations; and . . . Associate VP of Human Resources with representation from both unions met to resolve concerns. The outcome was that trainings would commence for [non-union] and [one union’s] staff in summer 2021 and for [the second union] in fall 2021. An email was sent to all staff to inform them of the trainings. . . .

One week after this email went out and prior to training, [the employee] who set up the security platform unexpectedly passed away. The trainings did not commence. In addition, requiring cybersecurity training has been a State Community College issue with several college constituents voicing various concerns. The community colleges enlisted help from state general counsel to require security training. . . .

The following actions are taken to improve this process:

• Cybersecurity training was rolled out to all staff, [full-time] and adjunct faculty in November 2021. These trainings will continue to be a core element of BHCC’s cybersecurity strategy.
• Despite the lack of the key component of security awareness training during the audit period, Bunker Hill implemented best practice security strategies including:
• Cisco Umbrella [cybersecurity management system]
• [Domain name system] that filters suspect websites
• Barracuda Firewall screening
• Spam filtering
• Preventing sending of any data that is a social security number or credit card
• Preventing inbound emails containing executable attachments or suspect documents
• Encryption of all laptops
• Dual authentication to external facing systems with exception of student enrollment portal
• Empow [security information and event management, or SIEM]—[artificial intelligence] data protection
• Rapid7 SIEM—end point screening

Based on the response above, BHCC is taking measures to address our concerns.