Reposted from Museums Association

If improving cyber security was not already a priority for cultural
institutions, it has surely jumped to the top of everyone’s to-do lists
following last year’s cyber-attack on the British Library. The fallout is still being felt as library staff try to restore online and in-person services that were curtailed by the October incident. The organization is also having to deal with a damaged reputation and the ongoing costs associated with addressing the issue. There was some good news in January when the library managed to get its main catalogue back online. It was also able to offer access to most of its special collections for the first time since the attack. *Far-reaching implications* “What happened to us in October has implications for the whole collections sector,” wrote chief executive Roly Keating in a blog on the British Library’s website. “In the months ahead, we will begin to share the lessons we’ve learned from this experience with partners and peer institutions.”
The British Library is a high-profile institution with a global reputation, but those who think that smaller organizations are less likely to suffer cyber-attacks should think again. A devastating cyber-attack on Hackney Museum in October 2020 received farless publicity. The museum was affected only because it is part of a larger organization, the London Borough of Hackney, but the attack had
far-reaching consequences that still affect all areas of its work. Rebecca Odell, project curator at Hackney Museum, says: “As museums, we create business continuity and emergency salvage plans for use if our venue burns down and collections are destroyed – and we refer to the experience of our cyber-attack as a digital building burning down. "Everything has changed, but there are no ruins that people can see to understand the trauma of what we have experienced and the years it will take to recover. Cyber-attacks change everything, except the expectations of stakeholders and the public.” *‘An everyday hazard’* Odell has a stark warning: “Unfortunately, attacks need to be considered an everyday hazard, and museums need to look beyond prevention to mitigating
the damage. We would like to see more leadership in the sector and the
creation of a template for digital salvage plans to protect collections,
assets and research.” Hackney Museum is not the only UK museum to have been hit. In the winter of2021-22, the Royal Armories was attacked, and its collections management system was down for three months. When it got back online, the museum discovered that the hackers had accessed its back-ups and deleted eight months’ worth of data. Staff are still working on recovering the lost data.
 
Several museums in the US – including MFA Boston, the Rubin Museum of Art
in New York and the Crystal Bridges Museum of American Art in Arkansas –
experienced problems recently after a cyber-attack on third-party tech
company Gallery Systems.
*Growing problem* The problem is clearly growing –and cyber-attacks are costly and time-consuming to sort out. A Financial Times report claimed the British Library will have to spend up to £7m (or 40% of its £16.4m unallocated
reserves) to recover from the cyber-attack. The British Library says media reports about the cost of recovering from the cyber-attack are inaccurate. “The final costs of recovering from the recent cyber-attack are still not confirmed,” a statement reads. “The British Library and its government sponsor, the Department for Culture, Media and Sport, remain in close and regular contact. The library always maintains its own financial reserve to help address unexpected issues and no bids for additional funding have been made at this stage.” Whatever the final costs to the British Library, it won’t be cheap.  So, what can museums and other cultural institutions do to better understand how a hack can happen, what measures they can take to reduce the chances of one occurring, and how they might recover if they do suffer one.
 
The good news is that help and advice are available. The British Library
has received support from the National Cyber Security Centre, which offers
a cybersecurity guide for charities. This aims to help smaller
organizations improve cybersecurity quickly and inexpensively. Mike Ellis, co-director of consultancy Thirty8 Digital, says backing update is crucial, although he does sound a note of caution: “Even if you’ve got a great back-up regime, and you test regularly to make sure you actually can restore, because of the nature of these attacks, you have no idea whether you’re restoring a compromised back-up,” he says. *Compromising usability* Ellis also points out that there is always going to be a compromise between usability and security. “If you’ve got full access to all websites, install whatever software you want on your computer and so on, life is easy,” he says. “But the
compromise is you’re very much more likely to bump into something nasty.
“On the other hand, if you’re locked down and can’t do any of these things, you’ll spend a lot of your life being annoyed that you can’t do what you
need to do – but at least you’re secure. Somewhere in the middle of this is
a context that balances correctly for you and your organization. But it is
always going to be a compromise.” Ellis says it is important for organizations to sort out their approaches to passwords – something that is often ignored.
 
“Few museums have a solid password strategy, in large part because it’s
quite hard to maintain passwords across staff working at several machines,
in several locations and different contexts. “The default becomes ‘just use that same old password we have for everything’ – and before you know it, you’re compromised. Some education needs to happen, as I don’t think many non-nerds understand how hackers move passwords around or publish them on the web. The negative impact of
having a single password, however strong, for all things is not well
understood.” But in a sector with limited funding that uses lots of freelance workers and volunteers, creating a robust password management strategy isn’t straightforward. Indeed, nothing associated with cybersecurity is
straightforward. Nevertheless, all cultural organizations should act now to protect themselves from attacks and plan what to do if their security is
compromised. Backing up your data All charities, regardless of their nature and size, should make regular back-ups of their important data, and should ensure that these back-ups can be restored.
 
By doing this, you are ensuring your charity can still function following
the impact of flood, fire, physical damage or theft. Furthermore, if you
have back-ups of your data that you can recover quickly, your charity will
be more resilient to cybercrime.

See Original Post