New Years Note about Security

Happy New Year! We have had a few inquiries recently from members regarding security topics, and so we thought we would take the opportunity to respond more broadly in case others had comparable questions.

Phishing and Spearphishing

While many of us use email systems that are getting better and better at automatically catching spam and phishing attempts, some definitely still get through, especially “spearphishing” attempts which are less automated and rely on contextual information from the target’s environment into fooling them into clicking on malicious links. Indeed, one member recently forwarded us a message that purported to be an invoice from our admin and used a logo from our website to disguise its malicious intent.

In that case, the member employed great security literacy skills. They noticed first off that the email address the message originated from was not at all a Co-op address. While they were sure it wasn’t a legit email, they also took the reasonable step of emailing me directly to verify with us whether we had sent the message, which we confirmed we had not and should be deleted.

All libraries and library staff should familiarize themselves with basic anti-phishing guidelines in addition to making sure their email hosts are actively protecting against malicious messages and they are running antivirus and anti-malware software (like Windows Defender) and following standard practices like using longer passwords, not reusing passwords, turning on two factor authentication where it is available, etc.

A couple of resources you should have access to via LinkedIn Learning are:

• 5 minute course defining spearphishing https://www.linkedin.com/learning/security-tips/spear-phishing-and-catfishing
• 5 Minute course on how to spot phishing emails https://www.linkedin.com/learning/security-tips/recognize-phishing-emails
• BC gov resource on recognizing cyberthreats https://www2.gov.bc.ca/gov/content/governments/services-for-government/information-management-technology/information-security/information-security-awareness/cyber-threats

Recent Cyber Incidents at Toronto Public Library and British Library

We’ve also received email from members concerned because of the recently publicized cyberincidents at TPL and the British Library. While it is good to be reminded of these risks, the fact that two incidents involving large library systems were in the news around the same time is a coincidence. The truth is – these kind of attacks have been going on for many years now. They happen regularly and have targeted all sorts of entities, from health authorities and transit commissions to private business and government. And libraries.

The Co-op takes the threat of these kinds of attacks very seriously. We follow our privacy and security management plan, and put in place measures to both defend and recover from such attacks as best we can. The risks for the Co-op are slightly different than for an individual library – as a distributed organization, we do not run a LAN, which can often be a vector of rapid spread in these kinds of attacks. Yet we are far from immune – we have users from 100+ library systems accessing our systems on a daily basis, and as we are not the IT provider for all of these users, we can’t actively secure all of their devices ourselves. Hence in part why the advice above to you all to do some anti-phishing education!

If you have questions or would like further discussion please feel free to follow up with the Co-op’s Privacy and Security Officer, Scott Leslie at scott.leslie@bc.libraries.coop