Audit Advises Bridgewater State University Require Employees to Complete Cybersecurity Training

BOSTON — In an audit of Bridgewater State University (BSU), the Office of State Auditor Suzanne M. Bump (OSA) found that the university properly administered federally provided COVID-19 relief dollars, but did not ensure all employees complete cybersecurity awareness training. The audit, which reviewed the period of March 1, 2020 through March 31, 2021, is one of several audits conducted by the OSA that have reviewed the topics of cybersecurity and compliance with expenditure guidelines for federal pandemic relief funding.

“While BSU has a comprehensive information technology security policy in place, the

current policy does not include requirements for annual cybersecurity awareness training for employees. We have seen an increase in cybersecurity threats and it is in the best interest of the BSU community to take action,” said Bump. “I am pleased to see that the university is taking action in strengthening their policies around this sensitive issue.”

To address the issue of a lack of cybersecurity awareness training, the audit recommended BSU implement policies and procedures requiring personnel to complete annual cybersecurity awareness training as well as proper internal controls to maintain accurate records of completed trainings. Additionally, the audit suggests that BSU officials collaborate with union officials to establish annual cybersecurity trainings for all union employees.

BSU is a member of the Massachusetts public higher education system, which consists of 15 community colleges, nine state universities, and five University of Massachusetts campuses. Founded in 1840, BSU comprises six academic colleges, offering courses of study in the arts, the sciences, and education, in which students may work toward bachelor’s and master’s degrees. BSU also has an athletics program that includes men’s and women’s sports teams. As of fall 2020, 10,651 students were enrolled at BSU, which offered 36 undergraduate programs and 80 graduate programs.

Auditor Bump has placed an emphasis on examining cybersecurity awareness training across government agencies and institutions of public higher education. Most recently, the OSA has released audits of Middlesex Community College and Massachusetts College of Art and Design, which called on these institutions to improve cybersecurity awareness training practices.