Tag: multifactor authentication

Posted on

Do These Three Things Today to Protect Your Patrons’ Privacy

A sitting Black adult woman typing and looking at the two computer monitors in front of her. The white office has tall windows showing the tall buildings behind her.
Photo by Christina @ wocintechchat.com on Unsplash

Keeping track of the latest threats to patron data privacy and safety is easily a full-time job in quiet, uneventful times. Last week was neither quiet nor uneventful. From the possibility of increased cyber warfare in the coming weeks to the progression of anti-LGBTQIA+ and anti-CRT regulations in several US states, many library workers are rightfully feeling overwhelmed with the possible implications of these events on the patron’s right to privacy in the library. And all of this is happening while we are still in the middle of a pandemic!

This week we are going to help you, the reader, to take a moment to stop, breath, and orient yourself in light of the recent increase in threats to patron privacy. We have three things that you can do today that can get you started in protecting patron data privacy and security in light of recent events:

Reacquaint yourself and others on how to avoid phishing attemptsLibraries are no strangers in being the target of phishing attacks; however, with the possibility of increased cyber warfare, the phishing attempts will only increase. As we saw with Silent Librarian, phishers are not afraid to use the library as a point of entry into the more extensive organizational network to access sensitive personal information. The Phishing section of the Digital Basics Privacy Field Guide is an excellent way to spread awareness at your library if you are looking for a simple explainer to share with others.

(Bonus – turn on multi-factor authentication wherever possible! You can also include the Multi-Factor Authentication section from the Digital Basics Guide while talking to others in the library about MFA.)

Check if your library is holding onto circulation, reference chat, and search histories – By default, your ILS should not be collecting borrowing history, but the applications you use for reference services might have similar information. The same goes for your library’s catalog or discovery layer and logs that might be capturing searches from patrons in a system log. This data can be used to harm patrons, particularly patrons who experience greater harms when their privacy is violated, such as LGBTQIA+ students and minors. Check the system and application settings to ensure that your systems are not collecting circulation and search histories by default. Review the reference chat logs to ensure that personal patron data is not being tracked or retained in the metadata and the chat content.

(Bonus – If you find patron data that is not supposed to be there after checking and changing settings, make sure to delete it securely!)

Check your backups – You should be checking your backups regularly, but today is a good day to do an extra round of checks on your data backups:

  • Can you restore the system with the latest backup in case of a ransomware or malware attack? If you haven’t already tested your backups, you might run into unexpected issues in your attempt to restore your system after an attack. Schedule a backup test sooner than later if you haven’t restored from a data backup before to catch these issues while the system is still up and functional.
  • Where are your backups located? Having an offline copy can mitigate the risk of loss or destruction of all copies from an attack. You also want to ensure that the backup is securely stored separately from the system or application.
  • What data is being stored in the backups? Backups are subject to the same risk as other data regarding unauthorized access or government requests. This is especially important when these backups have personal data, such as a patron’s use of library resources and services. Adjust what data is being backed up daily to limit capture of such patron data and limit the number and frequency of full database backups.
  • How long are you storing backups? Backups can be used to reconstruct a patron’s use of library resources and services over time. We have to balance the utility of backups and data security and privacy; however, the longer you keep a backup, the less valuable it will be in restoring a system and the more the risk of that data being breached or leaked. The length of time you should retain a backup copy will depend on several factors, including if the backups are incremental or full and what type of data is stored in the backup. Nevertheless, if you are unsure where to start, review any backups older than 60 days for possible deletion.

(Bonus – if you’re not backing up your data, now would be a perfect time to start!)

Focusing on these three actions today will provide your library with an action plan to address the increased risks to patron data privacy and security in the coming weeks and months (and even years). Even though we focused on things you can do right now, don’t forget to include in your action plan how you will work with third parties (such as vendors) in addressing the collection, retention, and sharing of patron data! And as always, we will keep you up to date on the latest news and events impacting patron data privacy and security, so make sure you subscribe to our weekly newsletter to get the latest news delivered to your inbox.

Posted on

Don’t Forget About Privacy While Turning Back The Clock

An orange and yellow analog alarm clock sits on a blue cloth in the foreground. A cup of tea sits on top of a paperback book in the background.
Photo by Sanah Suvarna on Unsplash

Last weekend was when we finally got our one hour back (for those of us still observing Daylight Savings Time [DST] in the US). Instead of sleeping in, though, we are barraged with public service announcements and reminders to spend that hour taking care of things that otherwise get ignored. That fire alarm battery isn’t going to change itself! Like #DataSpringCleaning, the end of DST is a great opportunity to take care of privacy-related things that we’ve been putting off since spring.

What are some things you can do with the reclaimed hour from DST?

  • Choose and sign up for a password manager – If you’re still on the fence about choosing a password manager, check out our post about the basics of selecting a manager. Once you get past the inertia of selecting a password manager, switching to a password manager becomes a smoother process. Instead of switching all your accounts to the password manager at once, you can enter the account information into the manager when you sign into that specific account. Using the password manager’s password generator, you can also use that time to change the password to a stronger password. And while you’re logged in…
  • Set up multifactor authentication (MFA) – You should really turn on MFA if you haven’t already done so for your accounts. Use a security key (like a YubiKey) or an authenticator app for MFA if possible; nevertheless, the less secure versions of MFA – SMS and email – are better than no MFA. Read about MFA on the blog if you’re curious to learn more about MFA.
  • Review privacy and security settings for social media accounts – Social media sites are constantly adding and changing features. It’s good to get into the habit of checking your social media account settings to make sure that your privacy and security settings are where you want them to be. Another thing you might want to check is how much of your data is being shared with advertisers. Sites like Facebook and Twitter have account setting sections dedicated to how they use your data to generate targeted ads.

Your library also has a reclaimed hour from DST. What can you do at work with that reclaimed hour?

  • Review the privacy policy – It never hurts to review the privacy policy. Ideally, the privacy policy should be updated regularly, but sometimes even having a review schedule in place doesn’t necessarily guarantee that the review actually gets done. If the policy missed its regularly scheduled review, it might be worthwhile to push for the overdue review of the policy to ensure the policy’s alignment with current professional standards, codes, and legal regulations.
  • Check your department or team procedures against the privacy policy – Your department work procedures change regularly for various reasons, such as changes in technology or personnel. These changes might take these procedures out of alignment with the current privacy policy. Relatedly, an update to the privacy policy might need to be reflected in changes to the procedure. Review the two sets of documents – if they’re not in alignment, it’s time to set up a more formal document review with the rest of the department. Now is also an excellent time to set up a schedule for reviewing procedures against the privacy policy (as well as privacy-adjacent policies) on a regular basis if such a schedule doesn’t already exist.
  • Shred paper! – Take time to look around your workspace for all the pieces of paper that have sensitive or patron data. Do you need that piece of paper anymore? If not, off to the office shredder it goes. Grab a coffee or a treat on your way back from the shredder while you’re at it – you earned it ☕🍫

We won’t judge you if you ultimately decide to spend your reclaimed hour sleeping in (or changing that fire alarm battery). Nevertheless, making a habit of regularly checking in with your privacy practices can save you both time and trouble down the road.

Posted on

Something You Have/Know/Are: Multifactor Authentication

Welcome to this week’s Tip of the Hat!

Cybersecurity Awareness Month wouldn’t be complete if we didn’t talk about authentication! Traditionally a perennial topic for cybersecurity training, authentication was also in the news last week with the allegation of a well-known security researcher breaking into a presidential candidate’s Twitter account. The researcher, who also broke into the candidate’s account in 2016, was able to break into the account by brute force, trying out possible passwords based on what he knew of the candidate. In both cases, multifactor authentication was not turned on. If the allegation is true, the candidate did not learn from the 2016 hack, leaving his account vulnerable for all these years.

Why is multifactor authentication (MFA) important? The following is an excerpt from our April post on the LITA Blog where we explain what MFA is, why it’s important, and how to implement it alongside other cybersecurity measures!

Multifactor authentication

Our community college district has required access to our LSP, Alma, that requires multi-factor authentication when used through our single sign on provider. Can you talk a little bit about the benefits of multi-factor authentication?

Multifactor authentication, or MFA, is an authentication method that requires at least two out of the three types of items:

  • Something you know, like your password
  • Something you have, like your phone with an authentication app or like a physical key such as a YubiKey
  • Something you are, like your fingerprint, face, voice, or other biometric piece of information

(FYI – More MFA methods are adding location-based information to this list [“Somewhere you are”].)

MFA builds in another layer of protection in the authentication process by requiring more than one item in the above list. People have a tendency to reuse passwords or to use weak passwords for both personal and work accounts. It’s easy to crack into a system when someone reuses a password from an account that was breached and the password data subsequently posted or sold online. When combined with two-factor authentication (2FA), a compromised reused password is less likely to allow access to other systems.

While MFA is more secure than relying solely on your traditional user name and password to access a system, it is not 100% secure. You can crack into a system that uses SMS-based 2FA by intercepting the access code sent by SMS. Authentication apps such as Duo help address this vulnerability in 2FA, but apps are not available for people who do not use smartphones. Nonetheless it’s still worthwhile to enable SMS-based 2FA if it’s the only MFA option for your account.

This all goes to say that you shouldn’t slack on your passwords because you’re relying on additional information to log into your account. Use stronger passwords or passphrases – ideally randomly generated by Diceware – and do not reuse passwords or passphrases. Check out this video by the Electronic Freedom Foundation to learn more about Diceware and how it works. It’s a good way to practice your dice rolls for your next tabletop gaming session!

As a reminder – your security is only as strong as your weakest security practice, so once you have created your password or passphrase, store it in a password manager to better protect both your password and your online security.