Museums of all sizes are adopting digital tools to keep up with the times and find new ways to enhance visitor experiences, preserve collections, or streamline back-office operations. But these changes are not without risk. Cyber threats are the flip side to our tech advancements.
Every industry and sector has to navigate phishing attacks, ransomware, data breaches, etc. It’s an unpleasant and, frankly, intimidating part of the landscape. Museums are not immune. Staying aware and vigilant is a requirement.
Quick aside: True to form, there is already a Museum of Malware Art (in Finland):
The Museum of Malware Art captures the dark side of our digital world. Through our collections and exhibitions, we explore the history, present and future of cyber attacks: the motivations behind them, the ethical considerations of digital security and malware’s effects on individuals, companies and societies. (Source: Museum of Malware Art)
Why are museums a target?
Surprising, perhaps, but museums can be a prime target for cybercriminals because of the valuable digital assets — donor records, payment information — combined with a perception of museums as soft targets with less vigorous cybersecurity measures than those of banks or healthcare companies.
Take the 2023 attack on Gallery Systems, a major provider of museum software. When they were hacked, the impact rippled across their client base, causing digital collection headaches for institutions like MFA Boston and Crystal Bridges. Disruptions to operations wreak havoc (and may indirectly impact your bottom line), but if the attack involves stolen data, as experienced by The Metropolitan Opera, it can lead to significant financial losses. For smaller museums, this kind of thing could be devastating.
Common vulnerabilities
Let’s discuss some of the most common issues museums face when it comes to cybersecurity, the potential problem areas:
1. Relying on older software that lacks modern security updates leaves you wide open to attacks. Plus, technology evolves at such a fast pace these days, that even if your software isn’t “old,” as time passes, the data stored on it becomes more vulnerable in all senses.
2. Using external vendors — ticketing platforms, collections management systems, even social media platforms — comes with a degree of risk. If your vendor gets hacked, your museum could be affected, too.
3. Cybercriminals exploit human error, tricking people into clicking malicious links or sharing sensitive information. Spear phishing attacks at work can be a little harder to spot than, say, the obviously fake text you keep getting from U.S. customs about a USPS parcel (otherwise known as bulk phishing).
Protecting your museum
Now let’s temper all that negativity with solutions. You can reduce your risks with proactive steps. Here are the best ways to practice good cyber hygiene and improve your museum’s cybersecurity without breaking the bank:
- Start with a risk assessment. What systems are outdated? Where are your weak points? Once you know, you can prioritize various fixes.
- It’s obvious, yet we sometimes fail to do it: Use strong passwords and enable multi-factor authentication. MFA is one of the simplest and most effective ways to protect sensitive accounts.
- Keep your software updated.
- Be diligent about maintaining backups to avoid data loss (whether from outside meddling or other causes).
- Everyone on staff, from the front desk to leadership, needs to know the basics of cybersecurity. Teach everyone to spot phishing emails and think before they click. Reiterate the importance of strong passwords.
- If a breach happens, what’s your game plan? Know how you’ll respond, who will be involved, and how you’ll communicate with stakeholders.
- Work only with third-party providers who take cybersecurity seriously. Ask them about their security protocols and how they handle breaches.
The most basic step to staying protected is to frame things properly from the outset: Cybersecurity isn’t exclusively an IT issue. Rather, you should think of it as one more way to protect your collections. Museum leadership and board members need to make cybersecurity a top priority, which means allocating resources and integrating it into a museum’s strategic goals.
Bookmark these resources to read up and stay current:
Stop, Look, Think: How To Manage Digital Vulnerabilities, AAM — On being good digital stewards and creating “anti-fragile” systems for data management. The “Museums Might” section is a must-read.
Why Cultural Institutions Are Rich Targets for Cyberattackers, Information Week
Related: Why Cyber Resilience May Be More Important Than Cybersecurity
Cyber Essentials Toolkit, CISA.gov — Six chapters on highly relevant topics.
8-Step Guide To Step Up Your Museum’s Cybersecurity, Cuseum — Including this one for the excellent supporting data and pro tips sections.
Cybersecurity is intrinsically daunting, yes, but small steps can make a big difference. As you would with museum sustainability or accessibility goals, view digital security measures in terms of progress not perfection. Start today by having a conversation with your team about digital safety.
