Laserfiche WebLink
Hi Sharon, <br />In the Director's report at the next LBOT meeting can you tell us if the library has an IT security <br />training program for the staff, and what are the major elements are in that program? In <br />particular, I understand that directed phishing attacks are a major way that hackers breach an <br />organization's IT security defenses. E.g., hackers learn personal information about their <br />targets, often from social media, and then trick the target by sending email seeming to come <br />from a friend, relative, or colleague. <br />Thanks, Rich <br />Sharon: <br />We are very aware of these types of issues and IT spends an incredible amount of hours on preventative <br />care and scheduled tasks to mitigate these threats at the network level. We also know that it is true, <br />that at the end of the day, the #1 weakest link is the end user and training is extremely helpful in <br />reducing this risk. Up to this point, IT just has not had the resources to be doing training and outreach <br />across the organization with everything else going on, which is one of many training topics that the City <br />has not addressed to employees on an ongoing basis. Unlike most of our larger peers, who have a <br />dedicated Chief Information Security Officer (CISO) positions to train and spend all their time on this <br />topic, we deal with the same amount of threats with our existing resources. I am proud of the fact that <br />we are experiencing similar outcomes (i.e. they get hit too from time to time...no one is immune) and <br />may even have a better track record, we just need to work harder and smarter and be more creative to <br />protect ourselves. <br />The good news, this is changing as we get up to speed with the new LDS position being onboard, and we <br />are working on better onboarding and documentation process, also more frequent policy reviews. Also, I <br />just recently purchased a subscription to KnowBe4 (https://www.knowbe4.com/), a cloud based <br />security training and testing service. Daniel will begin rolling this out soon to all employees and we will <br />begin "secret" penetration testing with employees as "unknowing" testers. This will give us a good <br />determination of what our potential exposure is. There will be some canned training that we will require <br />of all employees and some extra training for those that fail specific targeted "secret" exercises. This will <br />not only be great for our work environment, but hopefully will also carry over into people's regular non - <br />work lives. These threats are everywhere and vigilance needs to be maintained 24-7-365, at work and <br />home. <br />Here are just a few other things IT is actively engaged in for security: <br />1. Library patron network is 100% isolated from the City network, including separate broadband. <br />An event like Ryuk on the patron network would mean just a shutdown of all patron computers <br />and a restore through reboot/restore. We also keep the patron network fully patched up-to- <br />date and we run active Windows Defender antivirus. Patron computers are significantly locked <br />down via local group policy which minimizes what users can do. <br />2. IT actively monitors all network traffic, including WiFi, and all machines have limited permissions <br />to perform installation or configuration changes without IT's involved and elevated permissions. <br />