Magazine article Computers in Libraries

Security in a Sharing Profession

Magazine article Computers in Libraries

Security in a Sharing Profession

Article excerpt

The best way to keep something secret is not to share it with anyone. Beyond that, all we have is risk mitigation. Since libraries are in the sharing business, this means we have to be concerned with the often blurry line between our roles in facilitating and enhancing sharing, as well as the danger of creating insecure, vulnerable systems. This is further complicated by the fact that we do business with a lot of other companies that may have access to some of our data. We might not know how secure any of their systems are.

Who Would Want to Hack the Library?

People often point to the library as an institution with a stellar reputation, as if that alone would deter potential attackers. Here are some reasons why someone might want to hack into a library system:

* It might be perceived as being easier to break into than for-profit companies that pay their IT staffers more than the library pays.

* It could be seen as having local information, which might be of use to geographically oriented, opportunistic bad people.

* Users share passwords among multiple accounts, and a library account might be a good entry into someone's email or bank account.

* It is there.

Point being, any online system is vulnerable, and we should get serious about mitigating risks for ourselves and our patrons. This can take several forms, and I'll outline a few.

Be Careful of the Weakest Links

Many of my patrons have their passwords written down in a notebook they carry with them. This isn't the best password security system, but it's balanced against the inconvenience of not being able to recall or find passwords when they are needed. The library should do better than this. If you are writing down your passwords in an openly accessible location, you are creating a weak link.

Fortunately, this is easy to fix. I've written previously about password managers ("How to Use Better and Stronger Passwords for Yourself and Your Patrons," Computers in Libraries, March 2014, p. 19-21). They can be a good way to control access to systems in which multiple users share passwords. Cloud-based password managers are secure and effective. However, they are not free. Consider building the purchase of one into your operating budget. PC Magazine reviews many of these systems.

Additional weak links include other employees or volunteers who may not be totally on board with the privacy mission or goals of the library. This doesn't have to be something nefarious, but it's worth doing occasional security audits to see who has access to which passwords. If you change your locks after a disgruntled employee leaves, you should also change important system-level passwords.

As librarians, we strive to "save the time of the user," and we should handle a little inconvenience on our parts to make our systems more secure for everyone.

Stay Informed

Make sure you or someone at your organization is staying abreast of recently discovered vulnerabilities and security holes. I read the headlines in Google News' Computer Security section, which I check once a day when I am catching up with my other news. If there's a new vulnerability, it will appear there. I also keep up with some of the more readable security blogs such as Naked Security and Krebs on Security. Keep in mind that you don't need to read and understand all of these articles--many of them are well over my head--but you should be able to understand them enough to answer the question, "Are we vulnerable to this?"

This is also true for ongoing security issues. Adobe Flash Player, for example, has had a number of "zero day" vulnerabilities in the past few months. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.