Overview
According to the Association of Certified Fraud Examiners’ article “Cyberattacks in Higher Education at an Epidemic Level,” each year colleges and universities nationwide lose millions of dollars to cybercriminals. The article states,
Higher education is highly susceptible. . . .
[University servers] hold treasure troves of valuable data, including sensitive student and employee data, such as addresses, passwords, payment details, bank information and confidential research. . . .
During the global pandemic . . . the risks are greatly increased and access points for hackers are multiplied.
This has resulted in an escalation in cyberattacks on institutions of higher education. The most effective way to prevent such cyberattacks is through information security training.
During our audit, we noted that GCC had not established a program to ensure that system users received information security training. Contrary to the Information Security Risk Management Standard IS.010 issued by the Enterprise Security Office within the Executive Office of Technology Services and Security, and industry best practices promoted in the National Institute of Standards and Technology’s Special Publication 800-53r5 (Security and Privacy Controls for Information Systems and Organizations), GCC does not require new employees to take initial information security training as part of new hire orientation, nor does it require employees to take refresher training annually thereafter. Instead, information security training at GCC is voluntary.
Without educating all system users on their responsibility of helping protect the security of information assets by requiring training, GCC is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses. We strongly encourage GCC to require information security training for all new employees and annual refresher training for all personnel.
| Date published: | July 12, 2021 |
|---|