The Steamship Authority is tightening its cybersecurity training program and policies around free ferry rides for employees and their families after a recent audit of the ferry line. 

The State Auditor’s Office Monday released a new audit of the Steamship Authority, looking at how the service used federal pandemic relief funds and cybersecurity training. Auditor Diana DiZoglio found the authority followed the guidelines for the CARES Act money but needed better documentation and monitoring for its cybersecurity training, as well as the employee ferry pass program. 

The routine audit by the state examined the Steamship Authority from 2020 through 2021. The ferry line does have cybersecurity training for employees, going over electronic communications, email and phishing warnings and safeguarding personal information. But the auditor’s office recommended the Steamship Authority implement a more formal training program and better monitoring to ensure all employees are completing the training, the auditor wrote.

This would get the Steamship Authority in line with the state’s Executive Office of Technology Services and Security’s standards, which are not required of the Steamship Authority but recommended by the auditor. 

In response, the Steamship Authority said its director of management information systems would be responsible for establishing a more formal training program and work with the human resources department to make sure new employees complete their training and conduct periodic refresher courses. 

“We appreciate the time and effort the Auditor’s Office took to produce this detailed report, which will aid the Steamship Authority to improve cybersecurity awareness across its operations,” said Steamship Authority general manager Robert Davis. “The Authority has thoroughly reviewed the audit and concurs with its findings. I am pleased that the Auditor’s Office noted that we have properly spent more than $9.8 million in Coronavirus Aid, Relief, and Economic Security funds that were distributed by the federal government. We have already begun to take corrective action on its recommendations for improvement, most notably enhancing the Authority’s cybersecurity preparedness and training programs.”

The auditor’s office also raised concerns about free ferry passage being extended to people not eligible under the Steamship Authority’s policies. 

The ferry line’s employee policies and procedures manual allows current and retired regular Steamship Authority employees, their spouses and their dependent children under 19 to get free day trip passes on the ferry. Seasonal employees are also allowed ferry passes. In practice, though, the Authority has allowed unmarried partners and older dependent children to obtain free passes, as well as the partners of seasonal employees. 

Employees are issued identification badges that permit the free trips. The auditor was concerned that the ferry line did not have a list of activation badges, nor a complete set of travel logs for people taking free trips. 

The Steamship Authority said it would replace all current identification badges with new ones, and those badges would have to be scanned to get onto a vessel. A new updated policy on the practice is also expected to be presented to the Steamship’s board of governors.