Overview
According to the Association of Certified Fraud Examiners’ article “Cyberattacks in Higher Education at an Epidemic Level,” each year colleges and universities nationwide lose millions of dollars to cybercriminals. The article states,
Higher education is highly susceptible. . . .
[University servers] hold treasure troves of valuable data, including sensitive student and employee data, such as addresses, passwords, payment details, bank information and confidential research. . . .
During the global pandemic . . . the risks are greatly increased and access points for hackers are multiplied.
This has resulted in an escalation in cyberattacks on institutions of higher education. The most effective way to prevent such cyberattacks is through information security training.
During our audit of Massachusetts Bay Community College’s (MBCC’s) internal control environment, we noted that MBCC had not established a program to ensure that system users received information security training. Contrary to industry best practices promoted by the National Institute of Standards and Technology’s Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations, MBCC does not require new employees to take initial information security training as part of new hire orientation, nor does it require employees to take refresher training annually thereafter. Instead, information security training at MBCC is voluntary.
Without educating all system users on their responsibility of helping protect the security of information assets by requiring training, MBCC is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses. We strongly encourage MBCC to require information security training for all new employees and annual refresher training for all personnel.
| Date published: | May 11, 2021 |
|---|