(Feb. 8, 2024) The Steamship Authority needs to rework its policies regarding cybersecurity and employee perks, according to a state audit released this week.
The audit also found that the boat line had appropriately spent the COVID-19 relief funding it received during and after the pandemic.
The office of state auditor Diana DiZoglio reviewed a two-year period of SSA operations from July 1, 2019 through Dec. 31, 2021 and found that the Authority lacks a comprehensive cybersecurity training program for its employees and may be too lenient with its policies regarding free rides for employees and their families.
“Probably most of the things in there are already done, or in the works. Sometimes these things come out and it’s not always clear in the documentation what the Steamship is doing to address them. Despite what the public thinks, the Steamship is very open to addressing issues like this,” Rob Ranney, Nantucket’s representative on the boat line’s board of governors, said Tuesday.
In June 2021, a cybersecurity attack rendered the SSA website unusable for over a week. An investigation was done over the following month, and it was concluded that no customer information or payment data was compromised in the incident, and the attack was not directed at the boat line’s vessels themselves, but the cyber-attacker was never identified.
The auditor’s office recommended the SSA replace its current, undocumented cybersecurity awareness training practices with a formal, documented cybersecurity awareness training program; implement monitoring controls to ensure that all employees are assigned to and complete cybersecurity awareness training; clearly define and document the positions responsible for administering and monitoring the program; and ensure that all employees have access to computers to take the training.
The SSA has acknowledged and agreed with those recommendations, Ranney said. The boat line told the state that its director of management information systems will be responsible for establishing and maintaining a more formal comprehensive cybersecurity awareness training program, and its director of human resources will be responsible for tracking the completion of the classes.
Additionally, boat line management said all new hires will need to complete the cybersecurity awareness training program within 30 days of employment and prior to being issued system credentials and passwords. Laptops have already been purchased and distributed to all locations including vessels, to provide access for employees to complete the training.
The audit also prompted the SSA to tighten up its policies for giving free rides to employees and their families.
“Although some employee passage and ticket-agent policies exist, Steamship Authority employees do not always follow these established policies to issue trip passes to current, retired, temporary or seasonal employees and eligible non-employees,” the audit concluded. “We further conclude that control weaknesses exist in the areas of badges permitting access to facilities and free rides, the absence of travel logs in five of the seven facilities and the capture of inconsistent information when granting trip passes.”
The state recommended the boat line should update its employee manual to make it clearer who is eligible for free rides. Currently, retired employees and their spouses are allowed annual passes that provide free travel to and from Nantucket and Martha’s Vineyard year-round.
Their children, as well as seasonal employees, are allotted trip passes that are good for one free trip at a time.
In response, the SSA said all employee ID badges will be replaced with new badges, all old badges will be deactivated and new employee ID badges will now include credentials that will be readable by the access control readers at all of the terminal slips. Employees who present their ID badge for travel must scan at the reader to be allowed on the boat.
The human resources department will be responsible for the badges, including the activation, deactivation, distribution and reconciliation of all employee passes. They will also maintain a log of the badges and submit it to the accounting department on a monthly basis. Employee travel records will be reviewed monthly.
Employee benefits will also be more clearly defined in the manual handed out to workers.