Libraries have unique cyber security risks in relation to their interaction with public data and the private thoughts of their patrons. Developing and delivering a risk management program that addresses every cyber security issue or concern in an environment with limited IT resources is not only impractical to implement, but impossible to maintain—librarians should instead prioritize and focus on high probability cyber risks to guide their cyber defense efforts.
The field of journalism, which also aims to disseminate unbiased information to the public, provides us with an excellent case study. Most in the field are not especially technology experts, however, even the most prominent journalism companies in the country have faced threats.
For example, in 2013 Chinese hackers obtained the passwords of every New York Times employee while at the same time, the U.S. Justice Department surreptitiously obtained phone records of Associated Press employees. In response to these threats, journalists have been forced to learn how to use public key cryptography, Tor, and other methods to protect their sources. Similarly, in 2015 the DC Public Library began an outreach and education program to teach patrons how to use these tools.
Software tools and training may work well for individuals, but they’re not 100% effective. Establishing clear policies and procedures based on a cyber risk management assessment framework like OCTAVE Allegro help mitigate cyber risks and reduce harm in the event of an attack.
But first, library staff members or 3rd party consultants must step in to identify problem areas. To put it another way—you can’t patch a system without first looking for holes.
If you would like to hear more about cyber risk management for libraries, please comment and/or subscribe! This is the first post in a series about cyber risk management by Chris Markman and I’d love to hear your feedback. Thanks!