A Publication of the Public Library Association Public Libraries Online

Protecting Your Library from Ransomware

by on March 2, 2017

Just last month, seventeen libraries in the St. Louis (Mo.) area were victims of a ransomware attack. The cyber-attack disabled the library computer system, and the attackers demanded a ransom to bring them back online. The library did not pay the ransom but brought in computer specialists and the FBI to identify the attackers and bring the systems back online.

A side effect of the Internet of Things (IoT) revolution is that almost any institution, including the library, is vulnerable to cyber-attacks of one kind or another. A well-executed ransomware attack can bankrupt a business or a library system in a matter of days. What can you do to protect yourself? There are a number of simple steps you can take to protect your library.

Be Aware

A recent study shows that 69 percent of Americans feel that the threat of cyber-attacks is greater than it was five years ago. Yet when asked, “to what extent do you feel safe from hackers?” 55 percent said they felt safe, while only 45 percent did not. Of that 45 percent, only 17 percent felt very unsafe. While people seem aware of the rise of cyber-crime, they often assume it won’t happen to them. The attacks on the libraries in St. Louis show that, although most libraries feel safe, cyber criminals can (and will) attack almost any kind of institution or business that is vulnerable.

Demand Security

The worst passwords of 2016 are similar to those of 2015 despite the rise in cyber-crime. Top of the list for personal passwords is still “123456,” followed closely by “password.” These passwords are gateways to sensitive information. “[A password] is akin to locking the door on your house; it won’t stop a dedicated burglar, but it prevents casual theft,” says Shawn Surber, a cyber-security consultant. Encourage employees, especially those with access to the more vital parts of the computer systems, to have excellent passwords. A twelve-to-fourteen-character password with both capital and lowercase letters and at least one symbol or special character are best. Require employees to change passwords regularly and train them on how to keep their passwords secure.

Isolate Your Public Network

This is simple yet vital. If your public network is slowed for any reason, including high traffic, remind staff that under no circumstances is it okay to give out the administrative Wi-Fi password. The IT department typically will have constructed protections and firewalls to prevent hackers from accessing the network, but if an employee inadvertently gives out the key to the front door, so to speak, none of those defenses will be effective.

Have a professional check your system regularly. New virus updates, new methods of attack, and many other advances are emerging in both security and hacker practices. Using software that employs machine learning, a disruptive force in cyber security, enables your system to learn from each attempted attack.

Don’t Be Afraid

Ransomware attacks are on the rise, but you can make yourself less of a target by becoming more security-conscious. In the end, the St. Louis libraries restored services, and no ransom was paid. “An attempt to hold information and access to the world for ransom is deeply frightening and offensive to any public library, and we will make every effort to keep that world available to our patrons,” said Waller McGuire, executive director of St. Louis libraries. “The real victims of this criminal attack are the library’s patrons.”

When an institution is attacked, it is often a gut reaction to withdraw completely from the area where the security breach occurred. Avoid this reaction. Your patrons still need your services, and your job is still to provide them to the best of your ability. Hire cyber-security professionals, or utilize those employed by your city or county. The need for cyber-security professionals is far outpaced by the number available at all levels of government and the private sector, so they may be busy. Wait for them.

You will be vulnerable to attack—all public institutions and all businesses are, as long as we continue to operate connected to the Internet. Be aware, demand security, do what you can to isolate your private network.

Tags: , , , ,