Cybersecurity experts affiliated to museums and cultural institutions have warned against complacency in the sector over data management, after the Charity Commission urged organisations to be vigilant in the wake of the cyber-attack that hit the National Health Service in May.
The commission has urged organisations such as museums to follow advice issued by the City of London Police and the National Cyber Security Centre, including using recently updated anti-virus software and regularly updating applications.
Despite Brexit, the UK government has indicated it will implement the European Union’s General Data Protection Regulation (GDPR) from May 2018, which will lead to fines of up to €20m for breaches of data protection. Users will also be able to ask to see the data an institution holds, and can request the removal of personal data.
According to intellectual property consultant Naomi Korn, a former chair of the Libraries and Archives Copyright Alliance, many museums are unprepared for the GDPR.
“Many of them don’t know this change is happening, and those that do are struggling to implement it,” she says. “For example, in order to comply, museums need to carry out an information audit, so they know exactly what information they have, where it is stored, why they are keeping it and who has access to it.
“Even museums with data protection officers are finding it hard to communicate to other staff that they need to play their part in providing them with this detail of information.”
Mike Ellis, a director at digital consultancy Thirty8 Digital and a former head of web at the National Museum for Science and Industry (now part of the Science Museum Group), says the use of networks means museums are as vulnerable as other sectors to cyber-attacks.
“The impact before would possibly have been very limited,” Ellis says.
“A collections management system installed on a single PC in a museum environment is irritating, expensive and annoying, but one thing it probably wasn’t was vulnerable,” he says.
“Nowadays, an impact on a single system can, because of the web network, spread very rapidly,” Ellis continues. “So, someone failing to update a WordPress plug-in could mean your in-house collections management system goes down, or you end up with something awful on your digital signage.”
One professional who used to work in IT for a local authority museum in north-west England, who wished to remain anonymous, says a “whole organisation” approach to security is required.
“For museums, the costs are probably prohibitive,” he says. “I expect cybersecurity to be low on the list of priorities.”
Jenny Kidd, a senior lecturer at Cardiff University and a committee member of the Digital Learning Network for the cultural heritage sector, warns that museums should pay more attention to digital ethics.
“The sector needs to think about why it collects data in the first place and why we keep it over time,” she says.
“We should be honest about this. If it is for marketing purposes, that should be clear to users. Similarly, if it is in order to fulfil some monitoring function. If people can opt out of data collection, that should also be clear.”
Kidd adds that the sector should also ask what is at stake in the event of a data breach for an institution such as a museum.
She says: “The principal concern for me would be that it would put people’s trust in our institutions at risk. We could do with a stronger set of professional guidelines on these matters, not least because debate about this is likely to intensify.”
The commission has urged organisations such as museums to follow advice issued by the City of London Police and the National Cyber Security Centre, including using recently updated anti-virus software and regularly updating applications.
Despite Brexit, the UK government has indicated it will implement the European Union’s General Data Protection Regulation (GDPR) from May 2018, which will lead to fines of up to €20m for breaches of data protection. Users will also be able to ask to see the data an institution holds, and can request the removal of personal data.
According to intellectual property consultant Naomi Korn, a former chair of the Libraries and Archives Copyright Alliance, many museums are unprepared for the GDPR.
“Many of them don’t know this change is happening, and those that do are struggling to implement it,” she says. “For example, in order to comply, museums need to carry out an information audit, so they know exactly what information they have, where it is stored, why they are keeping it and who has access to it.
“Even museums with data protection officers are finding it hard to communicate to other staff that they need to play their part in providing them with this detail of information.”
Mike Ellis, a director at digital consultancy Thirty8 Digital and a former head of web at the National Museum for Science and Industry (now part of the Science Museum Group), says the use of networks means museums are as vulnerable as other sectors to cyber-attacks.
“The impact before would possibly have been very limited,” Ellis says.
“A collections management system installed on a single PC in a museum environment is irritating, expensive and annoying, but one thing it probably wasn’t was vulnerable,” he says.
“Nowadays, an impact on a single system can, because of the web network, spread very rapidly,” Ellis continues. “So, someone failing to update a WordPress plug-in could mean your in-house collections management system goes down, or you end up with something awful on your digital signage.”
One professional who used to work in IT for a local authority museum in north-west England, who wished to remain anonymous, says a “whole organisation” approach to security is required.
“For museums, the costs are probably prohibitive,” he says. “I expect cybersecurity to be low on the list of priorities.”
Jenny Kidd, a senior lecturer at Cardiff University and a committee member of the Digital Learning Network for the cultural heritage sector, warns that museums should pay more attention to digital ethics.
“The sector needs to think about why it collects data in the first place and why we keep it over time,” she says.
“We should be honest about this. If it is for marketing purposes, that should be clear to users. Similarly, if it is in order to fulfil some monitoring function. If people can opt out of data collection, that should also be clear.”
Kidd adds that the sector should also ask what is at stake in the event of a data breach for an institution such as a museum.
She says: “The principal concern for me would be that it would put people’s trust in our institutions at risk. We could do with a stronger set of professional guidelines on these matters, not least because debate about this is likely to intensify.”