Cyber Security - What your library needs to know

February 22, 2017
Clare Brown

Earlier this year, 17 US public libraries were hit by a ransomware attack. It took several days for the St Louis libraries to regain control of their computer systems, though it could have been significantly longer if it hadn't been for the fact that they had a good back up of their systems1. Attacks like these are, sadly, not unusual. Just a few weeks before the library attack, a charity worker lost £67,000 due to, what he reports to be, a security breach at his solicitors causing him to fall the trap of hackers2. Such instances are not only incredibly expensive to all involved (we’re seeing average losses of £65,000 to £1.15m3), they can also cause serious privacy breaches as well as damaging the reputations of affected organisations.

padlock security

Large companies are not safe either. Whilst they may have more financial capital to invest in cyber-security, they are also far more of a high profile target for attackers. Last year’s BIALL conference saw Andy Harbison, Head of Legal Technology at Grant Thornton, conduct an excellent session exploring the threat of cyber-crime4. In it he cited many a big name as having fallen victim to an attack.

An organisation’s library acts as its information epicentre - the company is dependent upon it. This leads us to posit two key purposes of the library when it comes to cyber-security, much like Jessamyn West does in his post5.

1. Keep the library safe

The library’s research and curation function is imperative for your organisation to operate effectively and strategically. Imagine if that suddenly disappeared due to a security breach overnight. No content going out to your fee-earners, no briefings on key clients.

Or, perhaps even worse. What if, through a security breach in the library, the whole organisation came under attack? It could well be that your client list is accessed and publicised, for instance. Not only would this break client confidentiality but it could also be severely detrimental to your competitive advantage.

What can you do to prevent this happening in your library?

Firstly, start with the basics - passwords. Keep your passwords secret (never ever write them down), use different passwords for different tools and change them regularly. There are a whole host of tools out there that can help by generating random number and letter combinations for a harder to crack password than the typical word and symbol/number approach. Apps such as 1Password act as a virtual safe for your passwords, meaning you’ll never get locked out.

As always, double check the authenticity of anyone reaching out to you regarding what could be deemed sensitive information, be it via email, phone or otherwise. The Law Society cites examples of bank officials calling up regarding the security of client accounts as just one such example6. In fact, they have put together an excellent guide full of tips to prevent scams - from calling unknown contacts back on a different phone line, to how to report a scam.

With most libraries using a variety of technology vendors, it’s vital to check their security protocols too. How are they protecting sensitive data? Where is data stored? Is it encrypted7? Whilst this may be assumed to be under your IT team’s remit, asking these questions can save valuable time by eliminating potentially risky vendors from the outset.

Then there’s https. Whilst it’s automatically assumed that most companies will be using https on their web services, it’s never guaranteed. Essentially, implementing https creates an encrypted tunnel between two endpoints so that information sent from one server to a client (e.g. the web browser) is no longer raw data but is instead encrypted information. This makes it more difficult for a hacker in the middle to attack and capture or steal that information for misuse. This is known as the TLS protocol (formerly the SSL protocol).

There are a whole host of different ways that you can enhance your online security, just a small fraction of which we have covered here. To take full control of your cyber-security it’s highly recommended that you participate in online security training with a security expert to ensure that you are able to protect your organisation as much as possible.

2. Educate your organisation on cyber-security risks

A second facet for the library is educating your users on the risks and pitfalls of an inefficient cyber-security system. With the library and information team’s strong research and curation skills, you are perfectly positioned to present such information in an engaging and digestible manner.

Cyber-security can, for good reason, be an intimidating subject. To engage users and get their attention, it might be worth using shock tactics. Take the email below, which my colleague received, seemingly from a large US law firm. At first glance, the email address looks to be from an authentic source. With law firms being one of our primary clients, we’re obviously always keen to act in the interest of our customers, or in this case potential customers. Luckily, my colleague is savvy and knowledgeable enough to know not to click on the link contained in the email. I imagine that many other recipients could fall into this trap, however.

Fraud email

Now you’ve got their attention, it’s time to get educating. It may well be worth setting up a fortnightly or monthly alert updating your organisation on the latest in cyber-security and any new risks that may have been exposed. The National Security Archive hosts a vast library of materials covering a whole range of cyber-security topics, whilst news outlets and technology and legal IT websites provide regular updates as to what’s happening in the security world. can also be used to see who has been hacked most recently (thanks to Ann O’Sullivan for this pointer8). These can, of course, be incorporated with regular organisation-wide training sessions.

How do you keep your library safe? We’d love to hear your experiences.

Ebook download: Striking the Balance Between Content Curation and Automation

  1. BBC News (2017) US libraries hit by ransomware attack
  2. Rupert Jones (2017) ‘I thought I’d bought my first home, but I lost £67,000 in a conveyancing scam’, The Guardian
  3. Kathleen Hall (2014) Law firms urged to tackle cyber-security threats, The Law Society Gazette
  4. Andy Harbison (2016) Cyber-crime, how much of a threat is it?, BIALL
  5. Jessamyn West (2016) National Library Week - thoughts on cyber security,
  6. The Law Society (2016) Practical tips to protect your firm from scams
  7. Alex Caro & Chris Markman (2016) Measuring Library Vendor Cyber Security: Seven Easy Questions Every Librarian Can Ask, Code{4}lib Journal
  8. Ann O’Sullivan (2016) BIALL (British & Irish Association of Law Librarians) - Review, libfocus