Today’s guest post is brought to you by our recent presenter, Becky Yoose. Special thanks to Becky for being willing to answer the questions we didn’t have time for during our webinar!
Hello everyone from your friendly neighborhood library data privacy consultant!
We covered a lot of material earlier this month in “A Crash Course in Protecting Library Data While Working From Home,” co-sponsored by LITA and OIF. We had a number of questions during the webinar, some of which were left unanswered at the end. Below are three questions in particular that we didn’t get to in the webinar. Enjoy!
Working from home without a web-based ILS
We don’t have a web-based version of our ILS and our County-based IT department says they can’t set up remote desktop (something to do with their firewall)… do you have any recommendations on how to advocate for remote desktop? If I have to store patron data while working from home (setting up new memberships) would you advise using GoogleSheets (cloud-based) over Excel (hard drive)?
That is a tricky situation that requires a bit of strategizing before your next ask to your IT department. Let’s break this question down to two parts:
Advocating for remote desktop
Remote desktop on its own can be a convenient way of accessing important work applications and files, but on its own can open your network to a higher risk of a breach. This might be a reason why your IT department is hesitant in setting up remote desktop for your library, and it’s a valid concern. Nonetheless, there are ways in which your IT department can protect their infrastructure while still providing remote access to the system.
One common way to protect remote desktop access is through using a virtual private network, or VPN. Ask your IT department if they have a VPN set up for other departments in the organization. A VPN could address the firewall issue that your IT department mentioned, since firewalls can be a pain to manage for IT staff if they only go the remote desktop route. There will still be some firewall work for your IT department, but a number of commercial VPN products have resources (such as documentation, support staff, and an active user community) that can assist in furthering the protection of the network.
There is another reason why going the VPN/remote desktop route is a good thing to do for remote workers, which leads us to…
Local versus remote storage
First, if you are using a work machine at home and do not have access to your work network storage, use the work machine to store patron data, particularly if your IT department has set up encryption on your hard drive.
It gets complicated if you’re working on a home computer and don’t have access to your work network storage. Here are a few risks associated with your two options:
- Personal computer hard drive
- Housemates accessing patron data when using the computer
- Patron data compromised due to lack of or outdated version of antivirus software
- Persisting patron data on hard drive after normal deletion
- “Free” personal account on third party cloud storage service
- Vendors storing, processing, and sharing patron data under an end user license that does not adhere to legal regulations surrounding library data and privacy
- Patron data compromised due to lax security measures or malicious attack on vendor system
One shared risk concerns legal regulation and patron data (disclaimer – I am not a lawyer, and the following is for informational purposes only). Depending on your state, there are a number of regulations surrounding the confidentiality and privacy of patron data. If you store patron data on your computer, your computer might be subject to search if there is a public disclosure or law enforcement request for that data. On the other side, would you know if your vendor gave your stored data to law enforcement? You’re dependent on the vendor’s law enforcement request policies… if they have one.
Tying it back to the first part, there are a number of privacy, security, and legal risks that can be mitigated with setting up a VPN and allowing for remote desktop access from there for remote workers. Because we are dealing with both technical and non-technical risks that have the potential to create major consequences for your organization if realized, start talking to folks in your administration who might be a strong advocate for when you go back to the IT department with your request. It never hurts to have some help from higher up, particularly if the IT department is still accepting the technical risks associated with relying on workers to use their home computers and personal cloud storage accounts.
Can you speak on browser security please?
Browsers are our lifeline to the World Wide Web as much as they can be one of the main security vulnerabilities in our digital toolkit. When you are online, you are being tracked by a variety of third parties through cookies, web beacons, and scripts. You are also generating data that can be used for a number of reasons, from targeted or behavioral marketing to surveillance. Your browsing can also open you up to a possible attack through malicious scripts or other content that can cause havoc in your work network, computer, or your data life. Your choices around the browser you use, including your extensions and settings, helps determine the level of security and privacy of your online activity.
Your browser choice is affected by a number of factors, including your operating system, accessibility features, and the overall user experience. Some browsers are better than others with regard to “out of the box” privacy and security, while others have a number of settings and extensions that can provide a decent amount of privacy and security. There is no shortage of articles about which browsers are better for privacy out of the box (read more at ProtonMail, Wired, and Lifehacker), and you will notice that Brave, Tor, Firefox, and DuckDuckGo’s mobile browser tend to be in almost every article about privacy-oriented browsers.
No matter what browser you use, your browser settings and extensions also determine how safe and private you are online. Turning on private browsing (or incognito mode) in your browser can help, but that alone will not protect your online privacy. Lifehacker’s article about browsers and privacy has a good list of what to change and what to install when setting up your browser for secure, private online browsing:
- Tell your preferred browser to start in incognito or private mode.
- Enable any bonus features your browser might have, but isn’t running by default, to keep your data safer.
- Change the default search engine to a privacy-minded website, like DuckDuckGo or Startpage.
- Install extensions that can help you protect your privacy.
- Use an ad-blocker, like AdBlock Plus.
- Automatically clear your cache and history when you shut down your browser.
- Use HTTPS/SSL everywhere you can.
In addition, I recommend the following extensions in addition to your ad-blocker extension:
Overall, your browser setup, combined with good digital privacy and security practices, can help protect your security and privacy.
Our community college district has required access to our LSP, Alma, that requires multi-factor authentication when used through our single sign on provider. Can you talk a little bit about the benefits of multi-factor authentication?
Multifactor authentication, or MFA, is an authentication method that requires at least two out of the three types of items:
- Something you know, like your password
- Something you have, like your phone with an authentication app or like a physical key such as a YubiKey
- Something you are, like your fingerprint, face, voice, or other biometric piece of information
(FYI – More MFA methods are adding location-based information to this list [“Somewhere you are”].)
MFA builds in another layer of protection in the authentication process by requiring more than one item in the above list. People have a tendency to reuse passwords or to use weak passwords for both personal and work accounts. It’s easy to crack into a system when someone reuses a password from an account that was breached and the password data subsequently posted or sold online. When combined with two-factor authentication (2FA), a compromised reused password is less likely to allow access to other systems.
While MFA is more secure than relying solely on your traditional user name and password to access a system, it is not 100% secure. You can crack into a system that uses SMS-based 2FA by intercepting the access code sent by SMS. Authentication apps such as Duo help address this vulnerability in 2FA, but apps are not available for people who do not use smartphones. Nonetheless it’s still worthwhile to enable SMS-based 2FA if it’s the only MFA option for your account.
This all goes to say that you shouldn’t slack on your passwords because you’re relying on additional information to log into your account. Use stronger passwords or passphrases – ideally randomly generated by Diceware – and do not reuse passwords or passphrases. Check out this video by the Electronic Freedom Foundation to learn more about Diceware and how it works. It’s a good way to practice your dice rolls for your next table top gaming session!
As a reminder – your security is only as strong as your weakest security practice, so once you have created your password or passphrase, store it in a password manager to better protect both your password and your online security.
Becky Yoose is the founder of and Library Data Privacy Consultant for LDH Consulting Services, a consultancy that guides libraries and vendors in protecting patron data without sacrificing operational data needs. For over a decade, Becky has wrangled library data in its various forms in academic and public libraries. Becky received her MA-LIS from University of Wisconsin – Madison in 2008, and has been a Certified Information Privacy Professional/United States (CIPP/US) with the International Association of Privacy Professionals since 2018. You can find her online at yobj.net and @yo_bj on Twitter.