Tag Archives: Cybersecurity

The 10-Minute Digital Librarian #9: Think about how to respect privacy

The second set of posts in our 10-Minute Digital Librarian series has focused on helping users to stay safe online, through adopting good digital hygiene, as well as good cybersecurity in libraries themselves.

At the heart of cybersecurity in particular is the effort to avoid unauthorised access to – or use of – important information, including of course personal information.

In turn, a good way of reducing risk is by reducing the amount of such personal information that is gathered and stored in the first place – in short, the less you have, the less you can lose!

You may of course face calls to gather data in order to demonstrate, or improve performance. However, given the risk of a lack of privacy chilling people’s willingness to search for the information they need, or to express themselves, it is important to remember that privacy itself can be a driver of better results.

IFLA itself issued a statement on the subject in 2015, and there has been a lot of very good work done in institutions and associations around the world in order to promote good practices here.

These include, for example, guides produced by the Carnegie Trust in the United Kingdom, ALA’s guidelines on privacy and the Choose Privacy Every Day site. Please do share other great resources in the comments at bottom!

Key principles set out, which can already be a basis for reflection as part of this 10-Minute Digital Librarian exercise include:

  • Think about which activities you carry out that involve the collection of data about people. This includes both information about them (names, addresses etc) and/or about their behaviour
  • Think about whether you really need to collect and use this data (and of course if you have permission to)?
  • Think about how you are storing data – is it in a safe place (certainly not a GoogleDoc)? How soon can you delete it?
  • Think about where services are provided by a third party and could involve the collection of data – such as databases, other services, or even simply internet access. Do the terms under which you access these services maximise privacy? Are you ensuring that the most private settings are used by default, for example on browsers?
  • If you need to gather data to monitor and improve performance, think about how you can do this in a way that maximises anonymity, that gives users a meaningful choice about taking part, and that ensures that data is not retained for longer than needed.

Take a look at the examples given above, and as underlined, share your own in the comments box below.

Good luck!

 

If you are interested in issues around digital safety and privacy more broadly, you should take a look at the work of IFLA’s Libraries for Children and Young Adults Section, as well as our Advisory Committee on Freedom of Access to Information and Freedom of Expression.

Discover our series of 10-Minute Digital Librarian posts as it grows.

The 10-Minute Digital Librarian #8: Check your cybersecurity

The pandemic has led both to growing reliance on the internet and other digital tools to go about our lives, but also growing awareness of the risks that come with them.

Cybersecurity is all about keeping information and services safe from unauthorised access and use. It helps ensure not only that library systems are working as they should and that information is available when people need it, but it is also a question of protection of privacy.

There are various tools that exist to promote security, for example through encrypting information sent online, or defending against viruses or malware (malicious software). There is also an important role for individuals in adopting practices that reduce risks.

In the case of libraries, it will not always be the case that it is possible to control all aspects of cybersecurity. For example, key decisions may be in the hands of a host institution or local/national government.

However, as part of libraries’ mission to promote online safety and privacy, it is good to be aware of what the risks are, and to act – either yourself or by calling on others – where there are risks that can be easily avoided.

So for our 8th 10-Minute Digital Librarian, check on your cybersecurity!

There are various useful and simple steps you can take to do this.

For example, making sure that your computers have received the relevant updates and patches is important – this can help ensure that you are protected against the most recent threats.

Another is to make back-up copies of key information – this can help mean that a ransomware attack does not end up preventing you from accessing key data.

A further idea is to enforce a strong password policy, in order to ensure that yours and colleagues’ devices do not become entry points.

If you have more time, you can carry out more of a review of the assets you have, and the risks you might face. For example, you may want to think about whether to encrypt your website (using https rather than http) if you have not already.

You can also consider which third party vendors, such as databases or other services, have access to your users’ data. Do they have proper policies in place to promote cybersecurity?

A step further, as highlighted in our last two posts, is to become more proactive, and integrate cybersecurity into your wider work to promote digital literacy.

You can find further ideas in our blog on cybersecurity from last year.

Let us know what steps you have taken to improve cybersecurity in your library in the comments box below.

Good luck!

 

If you are interested in issues around digital safety and privacy more broadly, you should take a look at the work of IFLA’s Libraries for Children and Young Adults Section, as well as our Advisory Committee on Freedom of Access to Information and Freedom of Expression.

Discover our series of 10-Minute Digital Librarian posts as it grows.

Awareness, Planning, Resilience: Thoughts on Libraries’ Cyber Defense in 2020

Digital vulnerabilities pose serious challenges for organisations, governments, companies and the wider public – libraries included. Cyberattacks and data breaches made headlines many times throughout 2019, from social media and popular software to public agencies. As a landmark 2019 report of the UN Secretary-General’s High-level Panel on Digital Cooperation pointed out, both the scope of threats and the range of targets for such attacks is rapidly growing.

For libraries, the importance of protecting the data and information they work with every day is readily apparent. Less than a week into 2020, the Contra Costa County Library in the US experienced a ransomware attack, impacting a number of library services.

From email scams to hacks into a library user database, library systems can become targets – and as the COVID-19 outbreak puts more pressure on online library resources, securing their digital assets and services, not least in order to protect staff and users, is a high priority. What is at stake, and what suggestions and tips for boosting libraries’ security can we draw from broader literature and available toolkits?

The Broader Context

Broadly in the field of security, you can think of three types of threats towards data:  it can be lost, exposed, or made inaccessible (known as the CIA triad – confidentiality, integrity and accessibility). A poll among cybersecurity professionals, for example, shows that the three biggest expected threats in 2020 are “weaponized email attachments and links (74%), ransomware (71%), banking trojans and other browser-based password hijackers (67%)”.

An alternative top-level taxonomy of threats (borrowing from ENISA guidelines for a different sector) identifies: malicious actions (as described above), supply chain failure (e.g. cloud service provider failure), systems failure (e.g. software of device failure), as well as threats stemming from human errors or other phenomena. All, clearly, can have negative impacts.

On the positive side, however, public awareness on digital security and privacy matters has fundamentally shifted in the recent years, and more and more organisations and companies put a high priority on addressing these issues. In the UK alone, for example, about three-quarters of charities and businesses in 2019 reported that cybersecurity is a “high or very high priority”.

It is not just public attitudes that are changing. As the 2019 Internet and Jurisdiction report points out, security regulations are increasingly often linked to other fields of government regulation – especially data privacy. This can impact libraries: for instance, a 2019 publication by the Colorado  State  Library discussed how the recently introduced state regulation on personal information creates obligations for libraries to, inter alia, ‘implement reasonable security procedures and practices’. Similarly, under the EU GDPR libraries as data controllers have a responsibility to, inter alia, prevent, detect and report attacks and security breaches.

These regulations point to the fact that security concerns for libraries will always be particularly pressing when dealing with personally identifiable information (as well as, arguably, information on the habits and preferences of their users). So how to respond?

Assess and plan: key questions to ask

Map the assets, know the threats

A first key step to boosting a library’s cyber defence, as suggested in a number of recommendations and broader literature, is to take stock of your assets and digital systems. Map your entire system to see what needs to be protected: the Integrated Library System, the data you store, staff and patron computers, tablets and other devices, the library website, the network… Whenever applicable, this can also include apps and cloud services, since those can also contain vulnerabilities.

Once you know your assets, consider the vulnerabilities, priorities and risks. A toolkit published by Scottish PEN adapts an Electronic Frontier Foundation guide to highlight the key questions to consider:

  1. “What do you want to protect?”
  2. “Who do you want to protect it from?”
  3. “How likely is it that you will need to protect it?”
  4. “How bad are the consequences if you fail?”
  5. “How much trouble are you willing to go through in order to try to prevent those?”

You can also consider who has access to the assets you want to protect, and how you would know and respond if something goes wrong.

These questions can help you decide what measures to take to safeguard both privacy and security.

Setting up a plan

Having mapped the assets and considered the risks, you can develop a plan of security measures and risk mitigation strategies. Just like the assessment step, this is something to do together with your IT team – if your library has access to one! A 2019 Library Freedom Institute lecture on cybersecurity, for example, mentioned that some libraries might get IT support through their consortia or similar organisations, at a local City Hall, or elsewhere.

Your security plan and risk mitigation strategy would be built with your assets and situation in mind. Some key elements to consider when developing your security regime and policies are as follows – as set out in the Cyber Security Toolkit for Boards developed by the UK National Cyber Security Center:

  • Network security
  • User awareness and education
  • Malware defense and prevention
  • Access to removable media
  • Maintaining the secure configuration of all systems
  • Managing and limiting user privileges
  • Incident management
  • Monitoring
  • Home and mobile working policy and security

Remembering the basics

Among these fundamental elements of the security regime, there are of course a few key concrete and tangible steps that can boost the security of your data, devices and processes. These are often mentioned when discussing the basics of cybersecurity, and you will likely have heard then often before:

  • Creating backups of your systems is crucial! A library that experiences a ransomware attack, for example, could be able to restore their systems faster with the help of existing backups. Have a backup plan and system that fits your needs and capacities.
  • Keeping your software updated, installing all patches and updates is a key security measure.
  • Setting up a password policy. See, for instance, the Tactical Tech Data Detox Kit chapter on passwords to see what makes a good password (or better yet, a passphrase!)
  • Website owners are encouraged to encrypt their website(s) and make use of HTTPS protocols instead of HTTP. HTTPS is a secure and encrypted protocol for communication between web browsers and websites – and the EFF offers some advice and resources for website owners on how to implement HTTPS by default. A 2018 case study of one public library’s HTTPS implementation points out that it is important to make use of HTPPS and related security measures consistently and pervasively, across all web-based library applications and their elements.

Staff training: protecting the library together

A key part of a library’s cyber defense – drawing on both broader literature and some library-focused overviews  – is making sure that all your staff is caught up on the basics of online security. This can help make sure that the whole team is more alert and aware, reducing the likelihood of some of the most common threats like phishing or malware distributed through emails.

There are different resources available to start such training – such as those developed by the EFF. A 2019 pilot study published in Information Technology and Libraries, for example, provides initial evidence of how librarians taking part in online cybersecurity courses can utilise their knowledge to strengthen cybersecurity practices in their libraries.

Create learning opportunities for your communities

And finally, libraries can be well-positioned to help their community members learn essential skills to be safe online. There are different examples of how libraries have approached this task – from ad-hoc assistance or linking users to relevant educational materials, to dedicated workshops (see, for instance, a listing from the Tompkins County Public Library) or offering full courses on cyber-security (e.g. in the Hague Public Library).

Libraries can partner with cybersecurity specialists and agencies to deliver such training – as well as host dedicated awareness-raising campaigns. Depending on capacity, a library can adopt some of the approaches listed above- or find their own ways to help their communities with learn essential cybersecurity skills.

These are of course just a few broad elements highlighted in the broader literature to consider when creating a library’s security strategy. With more demand for online library resources and services – and so more risk – it is worthwhile to go over your library’s security plans and practices to be sure that your data, information and processes are safe and well!