The Massachusetts Legal Assistance Corporation Did Not Ensure That All Employees Completed Annual Cybersecurity Awareness Training.

The Massachusetts Legal Assistance Corporation (MLAC) did not have documentation to support that its staff members completed cybersecurity awareness training during our audit period. MLAC could not provide the employee list and training records for fiscal year 2020. We received a list of the 20 MLAC employees in fiscal year 2021 and a list of employees who completed cybersecurity awareness training in fiscal year 2021, which we used to determine whether all MLAC employees had completed the cybersecurity awareness training. We found that 6 of the 20 employees on the fiscal year 2021 employee list had not completed the training.

We recognize that MLAC is a quasi-public agency and, therefore, is not required to follow the Executive Office of Technology Services and Security’s guidelines. However, as a best practice, MLAC should follow this state office’s policies and procedures. The Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 requires that all Commonwealth personnel be trained annually for cybersecurity awareness. Section 6.2 of the document states: “The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”

By not ensuring that all its employees complete annual cybersecurity awareness training, MLAC is exposed to a higher risk of cyberattacks that may result in financial and/or reputation losses.

MLAC requires and provides cyber security awareness training to all its employees, consultants, and [Interest on Lawyers Trust Account] Committee staff.

In [fiscal year 2020], all staff were asked to complete cyber security training. However, MLAC was unable to access the training records from the training provider after March 31 that year. We did not understand that MLAC needed to preserve its own records. In addition, the [2019 coronavirus] pandemic hit in mid-March 2020, requiring MLAC’s Director of Technology and MLAC’s technology support staff to quickly and unexpectedly pivot to provide significant [information technology] support to MLAC staff and to many of our [legal aid organizations] as we all needed to shift to a remote work environment.

Again, in [fiscal year 2021] MLAC employees were required to complete the cyber security training by March 31. All report data was compiled as of that date. Any staff who did not complete the training by that date were not included in the cyber security report, even if they completed the training after March 31.

In [fiscal year 2022] and [fiscal year 2023] all MLAC employees completed the cyber security training by March 31; MLAC retains those records and will continue to ensure full compliance moving forward.

Based on its response, MLAC is taking measures to address our concerns on this matter.