I can’t remember where someone said that there are two types of organisations: those who tell you that they have been hacked, and those who don’t know that they have been.
And for everyone, their priorities and reasons for being interested in protecting their information will differ from one person to another. For example, journalists, lawyers, or doctors will each have their own priorities.
As a result, a number of organisations, including the Electronic Frontier Foundation, refer to “threat modelling”, where they ask:
1. What do I want to protect
2. Who do I want to protect it from
3. What skills, resources, motivations do they have
4. How likely is it that they will come after it. What happens if they do
5. How much time, energy, resources am I willing to expend to prevent that
A number of organisations come up with personas, or types of people and outline the threat model that seems likely to be most appropriate to them.
The reality is that there is no such thing as perfect security. And that really needs to be our starting point.
There are a number of things which may seem really obvious, but which we may not think about too much because of becoming too blasé.
- If you don’t collect the data in the first place, then you don’t need to worry about it getting into the hands of a hacker. Or, in other words, only collect data that it is absolutely necessary to have
- Don’t keep information for any longer than is really necessary
- If your organisation was the subject of a hacking attack, any potential damage would be reduced if you had encrypted the data
- Think about the weakest link – which is the human element. Raise awareness of the risks. Provide education and training on defending library user privacy
- Think about backups. Its not enough to have one backup. Time and again one sees people get into a mess, turn to their backup only to find that the backup was corrupt or something of that sort.
- If it were a public library, and a significant percentage of the stock was always on loan at any point in time, think about losing your data. You wouldn’t know who to chase for the return of a portion of your collection, you wouldn’t know who owed you money from overdue fines etc etc. What made me think of that – reading up about one library (which shall remain nameless) where that’s precisely what happened.