AMT Lab @ CMU

View Original

Digital Security & Infrastracture for Arts Organizations - Baseline Considerations

In modern society, we receive almost weekly reports of a data breach at a large scale company. The business of stealing an organization's data and holding it for ransom has become commonplace. When analyzing these companies and their unfortunate circumstances, what insight can an arts manager gather? What type of data were they protecting? What made them a target? Businesses are not unlike arts organizations, who are also tasked with storing sensitive business and patron data. This article explores basic cyber-security concerns for arts organizations, where potential risks may lie, and how to remain vigilant in monitoring and protecting the data your company collects.

Network Essentials

Nearly all arts organizations, including those with only a handful of employees, operate their daily business through the use of a computer network. Some organizations have a dedicated Information Technology (IT) person on staff to build and monitor this network, while others have their network constructed by an outside company. This network can be constructed using two vastly different approaches dependent upon an organization’s structure. One method is to have an onsite local area network (LAN) as illustrated below, where an in-house server controls and monitors all of the organization's data. Another method is to use Cloud based solutions, where an organization's data is housed and monitored offsite by a third party. This method is usually the more costly of the two. Businesses can also choose to use a combination of both methods.

A basic understanding of these network types will allow arts managers to understand potential points of access for would-be cyber criminals. 

A basic internal network. Source: Conceptdraw

A basic network consists of one or more PCs connected to a router or switch through a wifi connection or a hard-line Ethernet cable. These devices then run through a switch, which manages data flows between connected devices and a server, which may be on or off-site dependent upon your businesses preference. Any person with access to these devices has immediate access to sensitive data being stored within the company. A person with motivation and training can easily compromise a system of this type. To combat this, most organizations employ strict password regulation to ensure employees create security measures which are not easily compromised. Furthermore, additional security protocols exist dependent upon whether an organization utilizes desktop computers or laptops. More on that subject will be included in later posts.

Network Breach Points

The daily workflow processes of arts organizations often center around digital communication or work done over the internet. As your employees traverse this digital space they can be exposed to multiple points of potential danger. Dedicating time to educating your employees, as well as outlining standards and safe internet practices within your employee handbook, are measures your arts organization can take to prevent breaches in data security.

 

Downloads and attachment files are commonplace in today’s workplace. Emails containing shared reporting files or downloads of digital media by employees can become an unsafe practice if not monitored. A diligent workforce will always be conscious of who is sending and receiving attachments, as well as the file type and size of file they are receiving. If you are expecting a team mate to send you an audio recording of a recent project, you should be expecting a rather large attachment file. If the file appears suspiciously large or small you should be weary, for it may contain trojan viruses or other such malware. Most companies today employ strict firewall or security measures to make sure all incoming emails are thoroughly scanned for potential threats.

Many organizations provide public wifi as a commodity to visitors to their space. While it is a nice gesture, it creates an opening for would be data thieves to infiltrate your space and compromise the data of both your organization and your patrons. Business related work should always be conducted on a secure, password-protected internet connection. Another line of defense is to employ a firewall for your network. These security measures dictate which types of content are allowed “through the wall” and which types of content users of the network will have access to. This measure helps to monitor incoming traffic and prevent users from accidentally entering an unsafe website.

Organizational Measures

In the article 10 Key Security Considerations, Jaime Kahan of the investment firm Ernst & Young outline ten key steps, or considerations, that your organization and its employees must follow in order to maintain secure networks. This piece outlines steps to ensure board support and governance, clearly outlined operating procedures, annual reporting and education on new types of security threats, asset inventory, and continuous monitoring. The idea is to create a culture within your organization that proactively considers the various types of data you are collecting and the best methods for keeping it secure.

Over the next several months, AMT Lab will continue to explore and report upon the best digital security practices for arts organizations. Maintaining both a secure network and a well-prepared staff are paramount to protecting the volumes of data that typical organizations collect.  The topics covered within this piece will be discussed in greater detail as AMT Lab moves forward with research into this topic. With the most basic business-side measures covered, we will continue on by addressing patron-side concerns. Does your organization invite patrons to Bring Their Own Device (BYOD)? Is your organization aware of the potential threats patrons’ devices could be exposed to, and in what ways is an organization liable for the protection of patron assets? These topics and more will be explored in the coming months. Have an immediate question about network security or infrastructure? Please leave us a comment below.