Cyber attacks are a concern for many industries, and the museum sector is no exception. As more museums and cultural institutions are using technology to display digital works, manage internal documents or store donor data, the risks are prevalent.
“The thing is, there is always potentially a risk for cyber attacks, so whether you’re big or you’re small, you’re at risk,” said Joshua Morin, director of IT and application services at The American Alliance of Museums, on this episode of The Insuring Cyber Podcast. “I like to take a when, not if, approach to cybersecurity. It’s very likely to happen. We all know the news.”
In fact, earlier this year, reports showed that several U.S. art institutions were unable to display their digital works following a cyber attack on museum software Gallery Systems, which helps museums manage internal documents and display digital work.
“As the industry saw from some cyber attacks that occurred at the end of last year, museums and cultural institutions are increasingly becoming the targets of cyber threat actors,” said Anthony Dolce, head of cyber at The Hartford. “That might be a shock to some that these types of institutions are on the radar of cyber criminals, but they are not exempt from it. And I think that’s going to be a theme of our conversation today that really nothing is out of bounds for cyber criminals.”
The New York Times reported that Gallery Systems informed clients in a memo that it originally noticed the problem on Dec. 28. Gallery Systems didn’t immediately respond to a request for comment from The Insuring Cyber Podcast.
The incident points to a larger conversation around how museums and cultural institutions should be managing these growing threats.
“That attack was indicative of the way hackers are approaching their targets these days,” said John Farley, managing director of Gallagher’s cyber practice. “Specifically, they’re going after key suppliers in the supply chain, so we’re talking about software providers. And the reason they’re doing that is because they know that those software providers probably have hundreds, if not thousands, of other clients whose data they take in.”
He added that if a cyber attacker can successfully hack a software provider, the attacker could access data for all of that provider’s clients, making it an attractive target for an attack with wider spread ramifications.
“It’s almost like a one-stop-shop for a hacker these days, and they know that,” he said.
While museums face risks similar to other organizations regarding ransomware, social engineering and data theft, Dolce said another piece of the puzzle could make the severity of attacks on museums even broader.
“Another point I think that’s significant here is that while the attacks on most businesses really have a monetary component to it, in this area with museums, cultural institutions and things like that, the attacks go beyond just money and can have a real negative impact culturally and on learning and education around the arts,” he said. “So, I think that just brings an increased awareness and vigilance that needs to come in here because the ramifications are that much broader than just the monetary piece.”
As museums share information with the public and serve as assets to arts education in their community, cyber criminals will have access to all of this information, too, Morin said.
“[Museums] naturally love to share information, and they share that information with the public. This comes in many forms, whether it’s sharing information about new exhibits coming up on social media or sharing photos of their staff working with the community,” he said. “This makes museums, and to a large extent, nonprofits, possible targets of spear phishing attacks.”
Spear phishing attacks are sophisticated phishing attacks using prior research or information to gain trust so that emails or messages purporting to be an individual or a company appear authentic, Morin explained.
“For instance, that would mean going on LinkedIn or a museum website, finding out staff names and positions, and using that information to make that phishing attack sound more authentic,” he said.
Trust, But Verify
Morin said he encourages his staff to “trust, but verify,” which means taking an extra moment to question the source of an email or confirm it came from a legitimate sender.
Farley added that having an incident response plan in place is important so quick action can be taken when an attack occurs.
“Who are you going to call, and how do you get to the place where you’re stopping an attack and the financial and reputational harm that’s going to occur?” he said. “That’s going to involve key stakeholders across the organization — your legal department, your spokesperson, your operations division, your CFO, your IT department. They’re all going to have to coordinate together if an attack occurs.”
It’s also important to consider the human element, Dolce said.
“You always want to train your employees on how to act responsibly online,” he said. “Usually, the cyber criminals prey on people’s good nature.”
Cyber Insurance as a Mitigation Strategy
Another piece of the puzzle in managing cyber risks at museums and cultural institutions is calling on the resources of cyber insurance experts.
“There’s a lot more conversation going on about cyber insurance, and it’s certainly something that we encourage any museum that has the financial ability to look at their options,” Morin said.
Farley said he expects to see more standalone cyber insurance policies arising for museums, nonprofits and cultural institutions in the future as the risks evolve.
“Part of that is because of the market we’re in right now. It’s a market where we’ve got lots of competition. It wasn’t always that way,” Farley said. “We just came through a couple of years of a really difficult market where capacity was shrinking, but now we’re seeing increasing capacity and pretty aggressive competition out there. There are many companies writing standalone cyber insurance, and they’re going to write it for multiple sectors, including museums.”
He said that museums seeking coverage should be prepared for underwriters to exercise extra scrutiny, however, given the current cyber risk environment.
“I think they will ask a lot of questions about your security controls,” he said. “It’s going to be a pretty involved questionnaire, and they need that comfort level that you’re taking steps to protect your data to prevent attacks and to mitigate attacks.”
This means collaboration is key as organizations work together with brokers to find the right coverage.
“Having a broker that’s kind of been there and understands what controls the underwriters are going to be asking about is important in just helping navigate what really has become pretty complex,” he said.
Indeed, the environment will only become more complex as reliance on technology and interconnectivity increases, Dolce said.
“I think the world is becoming more interconnected, especially with some of these types of institutions where you don’t need to actually physically go to the building where the works of art or the exhibits are to enjoy them or experience them or learn from them because you can see things online,” he said. “There’s just that much more interconnectivity with different things, and that extra interconnectivity, I believe, makes [museums] an appealing target for cyber criminals to try to exploit that much more.”
Morin added that this makes it even more important for museums to maintain proper cybersecurity protocols to continue building trust in their communities.
“Museums are a very sharing, open field, and we want to maintain that,” he said. “The answer is not to take it off the Internet. It can’t get hacked that way, but that’s just not the reality we live in. We want to be pillars in the community and to keep earning that trust. Again, take that when, not if, strategy and plan ahead.”
Check out the rest of the episode to see what else John, Anthony and Joshua had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.