Data Breaches: What Libraries Can Do To Prevent Them | Metropolitan New York Library Council

Presentation

Wednesday, August 18th 2021 from 4:00pm to 5:00pm

The following is a summary of the event by Mary Bakija, Program Manager, METRO, published on August 27, 2021.

Major data breaches are occurring with increasing frequency, and the current deluge of concerning reports such as the Colonial Pipeline, SolarWinds, and T-Mobile attacks can feel both terrifying and overwhelming. Dan Ayala of Secratic and Gary Price of Library Journal’s INFODocket joined us at METRO for a talk on Zoom on Wednesday, August 18 to help us find actionable steps to avoid having sensitive personal and library system information compromised.

Awareness of prevention techniques and education on how to implement them is the first step, which is where Dan and Gary say libraries can be incredibly valuable. But we can’t educate others before we educate ourselves. They advise libraries to hold regular, ongoing data security awareness sessions for internal staff, covering everything from how to spot an email phishing scam to password management. Ideally, this will help create an environment where people will understand it’s okay to admit when a security incident may have occurred.

“The last thing you want is people feeling like they can’t come forward and say, ‘I might have clicked on this link, and I might have included my username and password, which now can be used against the library,” Dan said.

Specific scams to look out for include:

Urgent emails that come from someone in a leadership position at the library. Scammers think you’re less likely to ask those leaders, “Did you really send this??”
Anyone asking for iTunes gift cards, or that you print out the attached W2s, for example
A message from your email provider that says your mailbox is full, and to click on a link to get more data. They’re preying on your worry about doing your job well

Knowing Who to Trust

If you have a good IT department or a skilled CIO, having these regular security conversations should hopefully be part of their roles. But if they’re not well versed in all the vendors you use, or they’re stretched too thin to help? Sometimes the best move is to bring in outside expertise. Look for a consultant who can provide advice on your specific needs, so they can help you understand what you can and can’t do to guard against breaches. Consultants can also assist after an incident has occurred.

Knowing who to trust with this sensitive information can be intimidating. “A lot of that will come from word-of-mouth,” Dan said, noting that if a consultant has worked with a library before, they’re already ahead of the game. “It’s important that somebody gets to know, for lack of a better term, the business of your library first, and uses that to be able to make recommendations that are appropriate to you appropriate to that business.”

The same might be said for your technology vendors. It’s unlikely (but not impossible) that a small library will be targeted by hackers, and the likelihood increases the bigger an organization gets. So if you rely on software that’s developed and maintained by a massive company, and that company’s technology is compromised, that can potentially impact your work.

“You have to know the controls that are in place, and what they’re doing not just to secure the data, but also what they’re doing with the data,” he said.

Password Safety

“Humans are really bad at being random,” Dan said.

Unfortunately, the strongest passwords are very random. If you can’t be random, then ensuring you use a unique password for every single thing you need a password is a good first step—except then you have to remember a lot of unique passwords, which in reality means you’ll probably be spending a lot of time resetting passwords.

The safest bet, then, is to use a password manager, which will generate unique passwords for each account you need it for, and you only need to remember the password to the manager.

“This means good security,” Dan explained. “So that when you get notice that a site has been compromised, then you only have to go back and change one password.”

While some free password managers exist, they acknowledged that there are additional risks associated with using a free service and recommended several subscription password managers, which may be an expense that’s untenable for many.

Dan and Gary also recommend utilizing multi-factor authentication (MFA) wherever it’s offered. MFA requires a second key to access an account.hat could be text messages sent to your phone, or a key fob that displays numbers you enter for access. MFA is an excellent buffer against bad actors, but, as they emphatically noted, the process is a total drag.

“It’s definitely a drag!” Dan said. “And it’s what makes people inclined not to use them, or to turn them off—because it is frustrating! Security has a user experience problem.”

Public Safety

Working with the public opens up several potential security risks, but Dan and Gary have some tips for staying safe.

Ensuring patrons are aware of the same issues that were discussed above is an excellent first step. Are there digital safety courses you can point them toward, or ones you could host yourself? Are there any ways, in your interactions with patrons, that you can provide simple instruction on how to look out for potential phishing scams or why a strong password is important?

As for shared public computers, they advise libraries to treat them as if somebody’s done something bad to that computer. They recommend using technologies like Deep Freeze, which protects shared computers by restoring them to a saved configuration every time you restart them.

“People who don’t have their own technology are going to come into libraries,” Dan said. “So we owe it to the patrons to return those systems to a safe state after each use.”

Ultimately, data security health is about being aware of the risks and the processes required to fix issues, and then determining the best balance for yourself—but one that’s still at a level to keep most people safe. Because you (and your patrons) are constantly exchanging data with other people, so your security can impact theirs.

For resources on how to prevent data breaches, please see this handy document created by Gary and Dan: https://bit.ly/preventbreaches