Museums and galleries cannot afford to ignore cybersecurity if they want to consolidate the success of their digital pivot

Museums and galleries have become more dependent on digital technologies during the Coronavirus pandemic. But as Ian Armstrong, Senior Information Security Consultant at Security Risk Management (SRM) explains, with greater reliance comes a greater responsibility to focus on security and data protection.

Through 18 months of lockdowns, closures and varying restrictions it has been impressive to see how museums and galleries around the globe have pivoted effectively to provide their remote visitors with digital experiences and engagement opportunities.  Even before the Covid-19 pandemic, there were many examples of museums utilising technology to enhance accessibility and extend their reach beyond their physical premises. But there is no doubt that the pandemic has accelerated and expanded this trend.

Now that institutions are once again opening their doors to the public the landscape has certainly shifted yet again. But there is no doubt that the reliance on digital is here to stay and many of the technologies adopted during 2020 will become embedded into museums’ futures. From online gift shops to contactless ticketing, Augmented Reality exhibitions to virtual learning courses, museums have diversified their offering and expanded their marketing efforts to attract new audiences.

Similarly, the desire to deliver increasingly interactive on-site experiences using wireless networks will present an ongoing challenge as attackers seek to exploit any unsecured or vulnerable entry point.

As I’m sure MuseumNext’s community will already be aware, the challenge for institutions is now to build these learnings and success stories into a longer-term strategy; consolidate progress and plan for a bright future post Covid. And one aspect of this that shouldn’t be ignored is the increased demand on cyber and information security that is always the result of an increased reliance on digital technologies.

The cyber threat to museums isn’t theoretical – it’s happening now

Last year, anonymous hackers accessed data containing the personal details of donors to several hundred cultural institutions in the US and UK, including the National Trust and the Smithsonian Institution. It was carried out through a third-party cloud software company called Blackbaud, which works with more than 25,000 cultural clients around the world. As a consequence, hundreds of people had their personal information put at risk. Other establishments to be impacted included the Parrish Art Museum and the Corning Museum of Glass in New York.

Also in 2020, the American Museum of Natural History suffered a breach that exposed the contact information, demographic detail and donation records of visitors and patrons, while in 2019 four of London’s major tourist attractions were targeted by hackers. Between them, the Natural History Museum, the Imperial War Museum, Kew Gardens and the Tate recorded tens of millions of attacks over three years.

In response to a growing number of attacks and breaches, the UK’s ActionFraud sent out a blanket warning to museums, galleries, tourist attractions, cinemas and other venues about the likely rise in ticket fraud that would coincide with the reopening process – particularly given institutions’ new-found reliance on online ticketing and booking systems.

Reminding ourselves of these instances isn’t about instilling fear in senior managers; it is about understanding the growing threat landscape and taking proactive measures to mitigate risk. After all, as we tell clients at SRM: prevention is always better than a cure.

Cybercrime can take many forms, but knowledge is power

Organisations beginning to expand their use of digital technologies can be forgiven for being unaware of each and every associated risk. After all, the urgency of action and pace of pivoting through the pandemic has not always allowed for extensive research time or deliberation.

Now, however, it is critical that institutions take the time to understand the challenges as well as the benefits presented by the new tools at their disposal and the new working practices they have implemented. Failing to fully explore growing security requirements or simply hoping that a breach never occurs is never a solution. As museums continue to adopt new technologies, it is vital to ensure that security measures grow and mature in line with innovation. That can mean:

• Regularly scanning for vulnerabilities in systems and IT infrastructure and utilising penetration testing to identify weaknesses before a hacker can
• Training staff on safer remote working practices, how to identify phishing scams and how to spot potential ransomware attacks
• Adhering to Payment Card Industry (PCI) requirements in relation to online transactions and card payments
• Collecting, processing and storing customer data safely and securely in line with the UK GDPR and Data Protection Act
• Preparing a comprehensive disaster recovery and incident response plan – because no matter how prepared a museum is, it is always necessary to know what to do should the worst happen

As any in-house Chief Information Security Officer (CISO) or Head of Digital will know, cybercrime can come in many forms. In order to reduce and mitigate risk, it is critical that the appropriate investment and resource is made available by museums, backed by board-level buy in.

Without the right tools and information in place phishing attacks can occur unchallenged

Phishing is a prime example of how avoidable cyberthreats can cause considerable damage when time isn’t taken to educate staff and visitors.

In 2016, New York City’s American Museum of Natural History lost almost $3 million in a phishing incident. A single employee was fooled into believing a scam email was genuine, resulting in an “erroneous” wire transfer. Similarly, in 2015, a member of staff at one of the Nature Conservancy’s Australia programs clicked a link and, minutes later, all of the program’s data became encrypted and the cybercriminals behind it demanded a cash ransom.

With the right education, processes and systems in place, these kinds of incidents can often be avoided, but it is important that museums don’t shrug off the importance of cybersecurity. Now is the time for museums to defend what they have and put the right infrastructure in place, so that their hard work and digital efforts don’t create vulnerabilities that cause future damage.

Security Risk Management (SRM) is one of the UK’s leading independent cyber and information security consultancies. If you are looking to achieve compliance, manage risk, respond to an incident or simply bring in external expertise to support your overstretched in-house team, contact us.