Libraries have faced and successfully overcome multiple challenges in 2020. One of the biggest obstacles was ensuring that a remote workforce had secure access to the right technology. However as Richard DeMillo, a computer science professor at Georgia Tech reminded us, "it seems the convenience of working from home during the pandemic comes at a price of 'exposure and risk'."
COVID-19 has left everyone more vulnerable to ransomware, cyber attacks, and scams
Prior to the pandemic, there was an enormous uptick in the number, size, and sophistication of ransomware attacks, with a 147% increase in associated losses from 2018 to 2019. 2020 has seen the demand for ransomware payments increase alarmingly, which is why governments are issuing guidance, and why people should be aware.
Ransomware is a type of malware (malicious software) that takes over your computer system until a sum of money is paid. Usually this means that your files become encrypted and only the attackers know the key. (Texas State Library, 2019)
Governments are warning that public bodies such as hospitals, libraries and schools are particularly vulnerable as they may have fewer resources to invest in cyber protection.
For instance, in early September 2020 in the US, there were several ransomware attacks against schools. Since August 2020, the UK's National Cyber Security Centre (NCSC) has been investigating an increased number of ransomware attacks affecting education establishments including schools, colleges and universities.
With the advent of COVID-19, scammers are adapting their tactics as people spend more time at home. Coronavirus-related email scams ranged from selling non-existent face masks, to infecting devices with malware via malicious attachments. Work, shopping, and leisure activities mean we are more vulnerable than ever.
The numbers are startling. As of 30 September 2020 the number of reports received by the NCSC using their new Suspicious Email Reporting Service (SERS) stand at more than 2,930,000 with the removal of 13,291 scams and 30,344 URLs. This service was launched on 21 April 2020 to make it easier than ever to flag suspicious emails.
What can library and information services do to keep everyone safe against cyber attacks?
The library’s research and curation function is imperative for your organisation to operate effectively and strategically. Imagine if that suddenly disappeared due to a security breach overnight. No content going out to your fee-earners, no briefings on key clients.
Or, perhaps even worse. What if, through a security breach in the library, the whole organisation came under attack? It could well be that your client list is accessed and publicised, for instance. Not only would this break client confidentiality but it could also be severely detrimental to your competitive advantage.
How can the library and information service help?
As a start, it is worth reading the IFLA blogpost on Awareness, Planning, Resilience: Thoughts on Libraries’ Cyber Defence in 2020. They state that the first key step to boosting a library’s cyber defence is to take stock of your assets and digital systems. Once you know your assets, consider the vulnerabilities, priorities and risks. Ask yourself these questions:
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much trouble are you willing to go through in order to try to prevent those?
Start with the basics - passwords
Keep your passwords secret (never ever write them down), use different passwords for different tools and change them regularly. There are a whole host of tools out there that can help by generating random number and letter combinations for a harder to crack password than the typical word and symbol/number approach. Apps such as 1Password act as a virtual safe for your passwords, meaning you’ll never get locked out.
For an entertaining - and terrifying - read, this blogpost by an information professional on passwords is great. Indeed, what can go wrong?!
For what I consider low-risk work applications (appraisal system, annual leave, bike shed booking) all the passwords are in a spreadsheet, that’s in a part of the network drive that only I can access, that is among 10,000 other files. That spreadsheet has a password on it. What could possibly go wrong?
Ensure your lawyers are aware of scammers
Know Your Client and money laundering regulations/procedures means that firms are alert to the types of questions to ask potential clients. I would hope that lawyers are just as careful when communicating with vendors, financial institutions etc. As always, double check the authenticity of anyone reaching out to you regarding what could be deemed sensitive information.
With most libraries using a variety of technology vendors, it’s vital to check their security protocols too. How are they protecting sensitive data? Where is data stored? Is it encrypted? Whilst this may be assumed to be under your IT team’s remit, asking these questions can save valuable time by eliminating potentially risky vendors from the outset.
What is HTTPS (Hypertext Transfer Protocol Secure)?
HTTPS is an internet communication protocol that protects the integrity and confidentiality of data between the user's computer and the site. Users expect a secure and private online experience when using a website. Google encourages you to adopt HTTPS in order to protect users' connections to your website, regardless of the content on the site.
Whilst it’s assumed that most companies will be using https on their web services, it’s never guaranteed. Essentially, implementing https creates an encrypted tunnel between two endpoints so that information sent from one server to a client (e.g. the web browser) is no longer raw data but is instead encrypted information. This makes it more difficult for a hacker to misuse your information.
Educate your organisation on cyber-security risks
The library is responsible for educating users on the risks and pitfalls of an inefficient cyber-security system. With the library and information team’s strong research and curation skills, you are perfectly positioned to present such information in an engaging and digestible manner.
According to one cyber security expert, here are some basic reminders regarding email - to be passed on to staff, readers, and colleagues:
- Do not click on attachments.
- Do not open emails from unfamiliar senders.
- Monitor for extensions like .exe or .zip that may have executable files.
- Closely review the sending email address before opening an email since many attackers may use very similar sounding names of people or organizations.
- Do not click on links in emails unless you know the sender.
I can feel your end-users glazing over as I write, but it was a lawyer who brought down the email system of a previous employer by clicking on a dubious link.
Use shock tactics to get their attention
To engage users and get their attention, it might be worth using shock tactics. Take the email below, which my colleague received, seemingly from a large US law firm. At first glance, the email address looks to be from an authentic source. Luckily, my colleague knew not to click on it, and reported it to IT immediately.
Now you’ve got their attention, it’s time to get educating. Set up a fortnightly or monthly news alert updating your organisation on the latest in cyber-security and any new risks that may have been exposed.
How has COVID-19 affected your information security? How do you keep your library safe? We’d love to hear your experiences.