Technology & Data Security in Libraries: A Playbook for Managing Today’s Imperative

St. Louis Public Library found out the hard way about the far-reaching impact of technology threats. In 2017, the library’s technology infrastructure was attacked with ransomware, wreaking havoc on all 700 of the library’s computers. The hackers rendered them useless and prevented all book borrowing.
Dave Maxfield, CIO of Library Systems & Services | October 19, 2017

Threats Abound

Ransomware is one of many types of attacks that can occur via desktop computers, laptops, tablets, mobile phones, apps, websites and email. The resulting loss of data, identities, privacy and even systems creates significant disruption. Other common, malicious software programs include:

    • Viruses. These reproduce and spread to corrupt systems and destroy data.
    • Worms. This form of malware takes advantage of security failures to consume bandwidth and harm networks.
    • Trojan Horses. These are triggered by clicking on ads, downloading files, or accessing harmful links in email or text messages.
    • Denial of service. This occurs when a website is overloaded with traffic, preventing or grinding functions to a halt.
    • Phishing. This attack happens when transactions appear to process normally, but in the background data is captured, viruses are deployed and hackers gain future access.

Hackers often use social engineering approaches, such as clicking a link in a seemingly normal email or text, to trick users and collect information, commit fraud or gain system access. Unfortunately, well-intentioned employees and patrons don’t suspect negative outcomes through these common actions.

The danger further multiplies with younger generations of computer users, who are much more trusting of devices and open to sharing personal information.

Protection Strategy One: Prevention

Libraries can prevent many threats by implementing an overall security policy and frequent communication to ensure users are educated. Prevention best practices include:

  • Require patrons and staff to adhere to a password strategy that mandates frequent changes and a mix of numbers, letters and special characters. Consider suggesting a full sentence that’s easy to remember but harder for hackers to guess.
  • Leverage a larger domain authentication plan that includes role-based authorization, allowing only accounts associated with a specific role to access systems and preventing unauthorized access.
  • Educate patrons and staff on the overall need for security and underscoring the value of personal information and the importance of protecting it. Highlight how small, unassuming actions like opening strange emails can lead to drastic consequences. Requiring virtual private networks (VPNs) to securely access library systems for more technical system managers and librarians. VPNs encrypt data while in transit and offer another layer of protection that can be unlocked with a code kept in an online vault.
  • Access internal sites via the HTTPS protocol for extra safety.
  • Implement threat prevention software to provide layered security on both servers and desktop machines.
  • Apply perimeter security on firewalls for “state-full” scans of content frequency, volume and sequences, as well as destination domains and addresses known to be troublesome, enables intelligent judgments to protect systems.
  • Use the complementary white/blacklist capability provided through reputable email vendors delivers or quarantines emails accordingly.

New threats emerge every day, so it is imperative that protective protocols are current and in working order. To alleviate disruption in computer use, software updates can be scheduled at night when library computers are not in use.

In addition to prevention tools, libraries also need to apply best practices when it comes to system access and permissions. Prohibit generic administrative privileges as tracking activity with generic logins is difficult. Minimize system-wide access to as few individuals as possible, and require logins with a specific user name to limit risk. Change the default passwords from software and hardware vendors.

Protection Strategy Two: Detection

Even with prevention strategies in place, incidents happen so libraries need complementary detection efforts.

  • Deploy enterprise-class firewalls, servers and routers. More robust than off-the-shelf retail products sold at consumer outlets, enterprise-class equipment more readily adapts to new threats and integrates with security structures of large systems.
  • Implement intrusion detection system (IDS) software monitors networks and traffic for suspicious activity. The best systems are both real-time and analytical, identifying vulnerabilities and patterns of threats, and adapting to them.
  • Ensure ongoing vigilance with quarterly security audits that scan for viruses and test firewalls, wireless and Ethernet ports.

Protection Strategy Three: Recovery

All library systems—servers, applications, storage and even integrated library systems (ILS)—are susceptible to hacking. If a breach occurs, taking action to minimize impact and ensure a quick and safe recovery is essential.

  • Automate the data backup function to maintain a recent copy of data. Set backups to occur at certain times of the day, or when triggered by milestones or specific events. For example, reaching a threshold of newly issued library cards, or hosting a number of job training events where patrons input data could activate a backup.
  • Perform routine testing of backups to ensure they are successful.
  • Follow the 3-2-1 backup strategy in which there are always three copies of critical data: two on different media or devices, and one offsite.

Online threats

  • 4,000 ransomware attacks/day
  • 78% of people aware of risks from unknown links click anyway
  • 21% of organizations trace data breaches to bring-your-own-device programs
  • 140 days is the average time attackers hide in a network
  • 44% of network-connected printers are insecure

Source: 2017 Symantec Threat Report

Dave Maxfield is CIO of Library Systems & Services, operator of more than 80 public libraries. Governing readers also can listen to Mr. Maxfield’s recorded webinar on this topic.