Other Matters: Information Security Training

According to the Association of Certified Fraud Examiners’ article “Cyberattacks in Higher Education at an Epidemic Level,” each year colleges and universities nationwide lose millions of dollars to cybercriminals. The article states,

Higher education is highly susceptible. . . .

[University servers] hold treasure troves of valuable data, including sensitive student and employee data, such as addresses, passwords, payment details, bank information and confidential research. . . .

During the global pandemic . . . the risks are greatly increased and access points for hackers are multiplied.

This has resulted in an escalation in cyberattacks on institutions of higher education. The most effective way to prevent such cyberattacks is through information security training.

During our audit, we noted that Springfield Technical Community College (STCC) had not established a program to ensure that system users received information security training. Information Security Risk Management Standard IS.010, issued by the Enterprise Security Office within the Executive Office of Technology Services and Security, requires Commonwealth agencies to ensure that all personnel are trained on all relevant rules and regulations for cybersecurity. These requirements include security awareness training for all new hires and annual refresher security awareness training for all personnel. STCC does not require new employees to take initial information security training as part of new hire orientation, nor does it require employees to take refresher training annually thereafter. Instead, information security training at STCC is voluntary.

Without educating all system users on their responsibility of helping protect the security of information assets by requiring training, STCC is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses. We strongly encourage STCC to adhere to the requirements of the Enterprise Security Office and require information security training for all new employees and annual refresher training for all personnel.

STCC is currently working towards providing mandatory information security training for all employees as recommended. The college is working with legal counsel concerning collective bargaining complications in an effort to require all [Massachusetts Community College Council] and [American Federation of State, County & Municipal Employees] union members to complete annual training. We have also obtained a license for an information security training platform and will be requiring [non-union professionals] and newly hired employees to complete the training.