Cyber security is an urgent priority for the sector
If improving cyber security was not already a priority for cultural institutions, it has surely jumped to the top of everyone’s to-do lists following last year’s cyber-attack on the British Library.
The fallout is still being felt as library staff try to restore online and in-person services that were curtailed by the October incident. The organisation is also having to deal with a damaged reputation and the ongoing costs associated with addressing the issue.
There was some good news in January when the library managed to get its main catalogue back online. It was also able to offer access to most of its special collections for the first time since the attack.
Far-reaching implications
“What happened to us in October has implications for the whole collections sector,” wrote chief executive Roly Keating in a blog on the British Library’s website. “In the months ahead, we will begin to share the lessons we’ve learned from this experience with partners and peer institutions.”
The British Library is a high-profile institution with a global reputation, but those who think that smaller organisations are less likely to suffer cyber-attacks should think again.
A devastating cyber-attack on Hackney Museum in October 2020 received far less publicity. The museum was affected only because it is part of a larger organisation, the London Borough of Hackney, but the attack had far-reaching consequences that still affect all areas of its work.
Discuss cyber security at Museum Tech 2024
Find out about key security concepts and principles for heritage organisations at our annual digital festival on 10 April at the Museum of London.
Rebecca Odell, project curator at Hackney Museum, says: “As museums, we create business continuity and emergency salvage plans for use if our venue burns down and collections are destroyed – and we refer to the experience of our cyber-attack as a digital building burning down.
"Everything has changed, but there are no ruins that people can see to understand the trauma of what we have experienced and the years it will take to recover. Cyber-attacks change everything, except the expectations of stakeholders and the public.”
‘An everyday hazard’
Odell has a stark warning: “Unfortunately, attacks need to be considered an everyday hazard, and museums need to look beyond prevention to mitigating the damage. We would like to see more leadership in the sector and the creation of a template for digital salvage plans to protect collections, assets and research.”
Hackney Museum is not the only UK museum to have been hit. In the winter of 2021-22, the Royal Armouries was attacked and its collections management system was down for three months.
When it got back online, the museum discovered that the hackers had accessed its back-ups and deleted eight months’ worth of data. Staff are still working on recovering the lost data.
Several museums in the US – including MFA Boston, the Rubin Museum of Art in New York and the Crystal Bridges Museum of American Art in Arkansas – experienced problems recently after a cyber-attack on third-party tech company Gallery Systems.
Growing problem
The problem is clearly growing –and cyber-attacks are costly and time-consuming to sort out. A Financial Times report claimed the British Library will have to spend up to £7m (or 40% of its £16.4m unallocated reserves) to recover from the cyber-attack.
The British Library says media reports about the cost of recovering from the cyber-attack are inaccurate. “The final costs of recovering from the recent cyber-attack are still not confirmed,” a statement reads.
“The British Library and its government sponsor, the Department for Culture, Media and Sport, remain in close and regular contact. The library always maintains its own financial reserve to help address unexpected issues and no bids for additional funding have been made at this stage.”
Whatever the final costs to the British Library, it won’t be cheap.
So, what can museums and other cultural institutions do to better understand how a hack can happen, what measures they can take to reduce the chances of one occurring, and how they might recover if they do suffer one.
The good news is that help and advice are available. The British Library has received support from the National Cyber Security Centre, which offers a cybersecurity guide for charities. This aims to help smaller organisations improve cybersecurity quickly and inexpensively.
Mike Ellis, co-director of consultancy Thirty8 Digital, says backing up data is crucial, although he does sound a note of caution: “Even if you’ve got a great back-up regime, and you test regularly to make sure you actually can restore, because of the nature of these attacks, you have no idea whether you’re restoring a compromised back-up,” he says.
Compromising usability
Ellis also points out that there is always going to be a compromise between usability and security.
“If you’ve got full access to all websites, install whatever software you want on your computer and so on, life is easy,” he says. “But the compromise is you’re very much more likely to bump into something nasty.
“On the other hand, if you’re locked down and can’t do any of these things, you’ll spend a lot of your life being annoyed that you can’t do what you need to do – but at least you’re secure. Somewhere in the middle of this is a context that balances correctly for you and your organisation. But it is always going to be a compromise.”
I don’t think many non-nerds understand how hackers move passwords around or publish them on the web
Ellis says it is important for organisations to sort out their approaches to passwords – something that is often ignored.
“Few museums have a solid password strategy, in large part because it’s quite hard to maintain passwords across staff working at several machines, in several locations and different contexts.
“The default becomes ‘just use that same old password we have for everything’ – and before you know it, you’re compromised. Some education needs to happen, as I don’t think many non-nerds understand how hackers move passwords around or publish them on the web. The negative impact of having a single password, however strong, for all things is not well understood.”
But in a sector with limited funding that uses lots of freelance workers and volunteers, creating a robust password management strategy isn’t straightforward. Indeed, nothing associated with cybersecurity is straightforward.
Nevertheless, all cultural organisations should act now to protect themselves from attacks and plan what to do if their security is compromised.
Backing up your data
All charities, regardless of their nature and size, should make regular back-ups of their important data, and should ensure that these back-ups can be restored.
By doing this, you are ensuring your charity can still function following the impact of flood, fire, physical damage or theft. Furthermore, if you have back-ups of your data that you can recover quickly, your charity will be more resilient to cybercrime.
- Tip 1 Identify what data you need to back up.
- Tip 2 Keep your back-up separate from your computer.
- Tip 3 Consider the cloud.
- Tip 4 Read the National Cyber Security Centre’s cloud security guidance.
- Tip 5 Make backing up part of your everyday business.
Source: National Cyber Security Centre