{"id":1964,"date":"2020-03-27T12:20:26","date_gmt":"2020-03-27T11:20:26","guid":{"rendered":"http:\/\/blogs.ifla.org\/lpa\/?p=1964"},"modified":"2020-03-27T12:24:21","modified_gmt":"2020-03-27T11:24:21","slug":"awareness-planning-resilience-thoughts-on-libraries-cyber-defense-in-2020","status":"publish","type":"post","link":"https:\/\/blogs.ifla.org\/lpa\/2020\/03\/27\/awareness-planning-resilience-thoughts-on-libraries-cyber-defense-in-2020\/","title":{"rendered":"Awareness, Planning, Resilience: Thoughts on Libraries\u2019 Cyber Defense in 2020"},"content":{"rendered":"

Digital vulnerabilities pose serious challenges for organisations, governments, companies and the wider public \u2013 libraries included. Cyberattacks and data breaches made headlines many times throughout 2019, from social media and popular software to public agencies<\/a>. As a landmark 2019 report of the UN Secretary-General\u2019s High-level Panel on Digital Cooperation<\/a> pointed out, both the scope of threats and the range of targets for such attacks is rapidly growing.<\/em><\/p>\n

For libraries, the importance of protecting the data and information they work with every day is readily apparent. Less than a week into 2020, the Contra Costa County Library in the US experienced a ransomware<\/a> attack, impacting a number of library services.<\/p>\n

From email scams<\/a> to hacks into a library user database<\/a>, library systems can become targets \u2013 and as the COVID-19 outbreak puts more pressure on online library resources, securing their digital assets and services, not least in order to protect staff and users, is a high priority. What is at stake, and what suggestions and tips for boosting libraries\u2019 security can we draw from broader literature and available toolkits?<\/p>\n

The Broader Context<\/strong><\/p>\n

Broadly in the field of security, you can think of three types of threats towards data:\u00a0 it can be lost, exposed, or made inaccessible (known as the CIA triad \u2013 confidentiality, integrity and accessibility)<\/a>. A poll among cybersecurity professionals, for example, shows that the three biggest expected threats in 2020 are \u201cweaponized email attachments and links (74%), ransomware (71%), banking trojans and other browser-based password hijackers (67%)\u201d.<\/p>\n

An alternative top-level taxonomy of threats (borrowing from ENISA guidelines<\/a> for a different sector) identifies: malicious actions (as described above), supply chain failure (e.g. cloud service provider failure), systems failure (e.g. software of device failure), as well as threats stemming from human errors or other phenomena. All, clearly, can have negative impacts.<\/p>\n

On the positive side, however, public awareness on digital security and privacy matters<\/a> has fundamentally shifted in the recent years, and more and more organisations and companies put a high priority on addressing these issues. In the UK alone, for example, about three-quarters of charities and businesses<\/a> in 2019 reported that cybersecurity is a \u201chigh or very high priority\u201d.<\/p>\n

It is not just public attitudes that are changing. As the 2019 Internet and Jurisdiction report<\/a> points out, security regulations are increasingly often linked to other fields of government regulation \u2013 especially data privacy. This can impact libraries: for instance, a 2019 publication by the Colorado\u00a0 State\u00a0 Library<\/a> discussed how the recently introduced state regulation on personal information creates obligations for libraries to, inter alia, \u2018implement reasonable security procedures and practices\u2019. Similarly, under the EU GDPR libraries as data controllers have a responsibility to<\/a>, inter alia, prevent, detect and report attacks and security breaches.<\/p>\n

These regulations point to the fact that security concerns for libraries will always be particularly pressing when dealing with personally identifiable information (as well as, arguably, information on the habits and preferences of their users<\/a>). So how to respond?<\/p>\n

Assess and plan: key questions to ask <\/strong><\/p>\n

Map the assets, know the threats<\/em><\/p>\n

A first key step to boosting a library\u2019s cyber defence, as suggested in a number of recommendations and broader literature, is to take stock of your assets and digital systems. Map your entire system to see what needs to be protected: the Integrated Library System, the data you store, staff and patron computers, tablets and other devices, the library website, the network<\/a>\u2026 Whenever applicable, this can also include apps and cloud services<\/a>, since those can also contain vulnerabilities.<\/p>\n

Once you know your assets, consider the vulnerabilities, priorities and risks. A toolkit published by Scottish PEN<\/em><\/a> adapts an Electronic Frontier Foundation<\/em> guide to highlight the key questions to consider:<\/p>\n

    \n
  1. \u201cWhat do you want to protect?”<\/li>\n
  2. \u201cWho do you want to protect it from?\u201d<\/li>\n
  3. \u201cHow likely is it that you will need to protect it?\u201d<\/li>\n
  4. \u201cHow bad are the consequences if you fail?\u201d<\/li>\n
  5. \u201cHow much trouble are you willing to go through in order to try to prevent those?\u201d<\/li>\n<\/ol>\n

    You can also consider<\/a> who has access to the assets you want to protect, and how you would know and respond if something goes wrong.<\/p>\n

    These questions can help you decide what measures to take to safeguard both privacy and security.<\/p>\n

    Setting up a plan<\/em><\/p>\n

    Having mapped the assets and considered the risks, you can develop a plan of security measures and risk mitigation strategies. Just like the assessment step, this is something to do together with your IT team \u2013 if your library has access to one! A 2019 Library Freedom Institute lecture on cybersecurity<\/a>, for example, mentioned that some libraries might get IT support through their consortia or similar organisations, at a local City Hall, or elsewhere.<\/p>\n

    Your security plan and risk mitigation strategy would be built with your assets and situation in mind. Some key elements to consider when developing your security regime and policies are as follows \u2013 as set out in the Cyber Security Toolkit for Boards<\/em><\/a> developed by the UK National Cyber Security Center:<\/p>\n