We’ve been giving workshops for librarians to help them prepare and test their service continuity plans in the event of a cyberattack on campus and we have a few tips for you.
Do you have a library service continuity plan that focuses on digital services and cybersecurity?
Many library services, both staff-focused and patron-focused, rely on other services on campus such as registration and records, email, shared drives etc, that can be totally disabled during a cybersecurity attack. Do you know if your campus has a plan, and have they consulted the library in devising that plan? Do they know the nature of library services and their importance to both the classroom and the research enterprise of the institution? Finding out what plans exist and then addressing the library’s role is a critical first step.
- THE Campus spotlight: Cybersecurity tips for protecting universities from online threats
- How to prepare and protect your institution against a future cybersecurity attack
- We must end the ‘us and them’ standoff between libraries and publishers
Since library operations are complex, it’s important for libraries to develop and maintain a detailed plan that aligns with your campus plan but also concentrates on the specific library operations. For example, what is your library’s communication plan? Does it rely on email or listservs that might be completely disabled? Do you have a list of online services that includes the library point person and vendor contact information? Communication is often the first breakdown in a cybersecurity event.
A great next step is to stress-test your plan in a tabletop exercise with a simulated cyberattack. You’ll find the hidden assumptions and gaps in your plan and can address them before an actual event. You can either develop the simulation yourself or in conjunction with your IT staff, or there are third-party companies that can help. If you belong to a library consortium, it’s a great community exercise.
Here are three real-life scenarios taken from actual library experiences with a takeaway for you to consider.
Scenario one: fake user accounts
A librarian at Columbia University had an online user posing as a student to get access to a military-focused, locally hosted database with the intent to change content within the resource. The attacker faked a student ID and was adept at persuading librarians to grant them access by leaning on the librarians’ strong service ethic and willingness to help. Eventually the library cancelled the database because they felt they couldn’t adequately protect the contents from being corrupted.
Key takeaway: phishing isn’t only via email so ensure staff and students are aware of all its forms. Are your staff and student employees included in your cybersecurity training? Is it customised for library-specific situations such as chat reference? Do you have a plan for security alerts within the library that reach all staff members?
Scenario two: ransomware attacks
Campus IT informs the campus that all locally hosted data has been encrypted and is inaccessible including the library digital collections, library financial and business information, eReserve material, and the library patron database. When the ransom was paid, some assets were not able to be recovered. One institution had recently digitised all their older theses and dissertations on a locally hosted server, the files were never recovered, and the print copies were imminently scheduled for recycling but stopped just in time!
Key takeaway: ensure you have backups of critical documents stored somewhere safe but accessible
How will you establish business continuity when it comes to invoicing, routine business transactions etc, if that information is in an inaccessible local drive? Where are your critical backups stored and do you or your IT department test the integrity of restoring via backup on a regular basis?
Scenario three: just because a cyberattack is over, doesn’t mean the impact on the library services is over
A security audit or change in policies can radically change the software and workflows that your library relies on. One major medical library was told that it could not continue to use its locally hosted Integrated Library System or ILS because it would not pass the new stringent security requirements. Other commonly used library software also did not pass the security audit – like their method of authentication. It’s extremely difficult to sway a chief information security officer shortly after a cybersecurity event. Don’t assume that your library will be able to just return to business as it was before the attack; you may need to rethink which service providers and hosting options offer the most stability, risk mitigation and resilience for major services.
Key takeaway: be prepared to rethink your systems and service providers in the event of a cyberattack, so keep informed about options
Information security professionals will tell you that it’s not a matter of if your institution will be attacked, it’s a matter of when. Talk to your chief information officer and chief information security officer now, and make sure that you are working together to protect the service continuity of the library in case of a cybersecurity event. Be as prepared as possible so your library is as resilient as possible.
if you need more motivation to act in concert with your IT staff, a great place to start is this post by Adrian Ellison, associate vice-chancellor and chief information officer at the University of West London and chair of UCISA, “How to prepare and protect your institution against a future cybersecurity attack”.
Working together is the best option – chief information officer, chief information security officer and library staff should understand the mutual dependencies, priorities and contexts to best serve their students, faculty and researchers in a digitally dependent environment.
Amy Pawlowski is executive director of OhioLINK, Ohio’s statewide academic library consortium that delivers both IT infrastructure and access to digital research content.
Gwen Evans is vice-president of global library relations at Elsevier and a member of the Scholarly Networks Security Initiative, a group of publishers and librarians concerned about cybersecurity threats within the scholarly communication ecosystem.
comment