Welcome to The Safe Library: Dr. Albrecht's Library 2.0 Service, Safety, and Security Resources

Our Library 2.0 "Safe Library" training programs for library staffers and leaders cover service, security, safety, supervision, and even a little stress management. Our goal is to help to keep all library employees physically and psychologically safe, making it easier for them to serve all patrons in their facilities.

Dr. Albrecht's podcast recordings and feed are to the right, and following immediately below that is a full list of his blog posts. A full list of paid webinars is to the left.

UPCOMING EVENTS

July 25, 2024

BLOG POSTS

Dr. Albrecht's blog posts are below. One of the features of his blog is "ASK DR. STEVE," where readers submit questions and he answers them. To submit a question for Dr. Steve, please email askdrsteve@library20.com.

Keeping Libraries Safe From Digital Attacks

By Dr. Steve Albrecht
Originally published in Computers In Libraries Magazine, June 2023

Over the last 6 years, libraries in St. Louis; Boston; Northampton, Pa.; Syracuse, N.Y.; Contra Costa, Calif.; Spartanburg, S.C.; and Butler County, Pa. have all had to deal with outages and disruptions to their servers and data caused by ransomware attacks. In July 2019 and again in April 2022, the Westchester County, N.Y., library system was hit with ransomware attacks. In a news release for the 2022 incident, the library told patrons, “The Westchester Library System informed us yesterday that the public internet terminals’ hard drives need to be wiped. … Considering that there are 500 terminals in 38 different libraries the process will take 1 1/2 to 2 weeks” (bit.ly/401Yi3q). In August 2022, the venerable library supplier Baker & Taylor was hit by a ransomware attack (bit.ly/3YMIzV5).

By this point in our internet lives, we have all seen stories of supposedly secure federal, state, or local government or corporate sites hacked; the hijacking of social media accounts of celebrities; and intrusions of even “unbreakable” password storage sites and smartphone applications. We have moved beyond the need for constant vigilance, deterrence software, and toothless end-user policies. Why is it that even as recently as 2022, the most common passwords—and therefore the easiest and fastest to learn—are still “password,” “123456,” “guest,” and “qwerty?” Have we learned nothing about how easy it is for software programs to guess any password under 12 letters, numbers, or symbols? If a 16-year-old kid from Estonia using a simple brute-force password-cracking program can get into the network of a Fortune 500 company, something is seriously wrong with our cyber-protection strategies.

The Need for Library IT Professionals to Step Up

I have conducted dozens of security site assessment reports for libraries. As part of these projects, I spend time speaking with the IT/information systems (IS) directors, managers, supervisors, and technical employees, asking pointed questions about the strength of their cyber-protections. We talk about software updates; backing up data off-site or to the cloud; preventing hacking; dealing with denial-of-service (DOS) attacks; and even how to train, remind, and encourage all library employees and their patrons to comply with cybersecurity policies and not make things easy for the cyber-predators to steal data, shut down operations, or hold the library’s OSs, payroll functions, or internet access for ransom.

The problem with this approach is that unlike physical security devices that I can see or security operations that I can observe, I can only take the word of the library’s IT/IS experts that all they have told me is true and “everything is fine.” This is their area of security expertise, not mine. This makes me uncomfortable. Not only do I not know what I don’t know, but it’s more likely they feel uncomfortable revealing their real security concerns to me about actual or potential weaknesses in their systems. Their lack of openness to me about real vulnerabilities—including issues senior library management would likely not know or fully understand either, but would want to—does a disservice to us all. It’s time we ask our IT/IS security colleagues in our library systems to own up to their concerns and ask for and get the financial help and—bureaucracy-limiting—support they need to make ongoing improvements, instead of the usual response of trying to clean up the cyberhack after it has happened.

Going After Our Power Grids

We are hearing more about the rising number of attacks on unsecured/unsupervised power stations, as happened in December 2022 in North Carolina and in June 2022 in Washington state. Both left thousands without power for many days. According to a January 2023 article by investigative journalists from the Oregon Public Broadcasting service and the Seattle radio station KUOW, the western power grid—which serves 11 U.S. states and the provinces of British Columbia and Alberta in Canada—“has had more incidents of vandalism, sabotage, and physical attacks during the first 8 months of 2022 then the rest of North America combined” (bit.ly/404Mr4W).

We have also seen disturbing cyberattacks on hospital systems, which have affected their ability to give quality, life-saving care. Most of the cyberattacks on healthcare facilities have attempted to shut down their electronic medical records/electronic health records (EMR/EHR). This has forced the victimized healthcare facilities to revert to pen-and-paper recordkeeping for patient care during the time these systems were hijacked. CNN ran a Dec. 20, 2022, story about this, titled “Brooklyn Hospital Network Reverts to Paper Charts for Weeks After Cyberattack” (cnn.it/3ZP4Xin), and The Washington Post’s “An ‘Unprecedented’ Hospital System Hack Disrupts Health-Care Services,” from Oct. 6, 2022, describes a cyberattack that hit a large healthcare provider with 140 hospitals and 1,000-plus patient care sites in 21 states (wapo.st/3Woc2U1).

One of the most valuable uses of EMR/EHR computer systems is that they help to cut down on human errors in the receipt of medical services, which is a problem that still leads to thousands of patient deaths per year. (This number is in constant dispute by medical researchers, patient advocates, and defenders of their various healthcare providers and systems. Even one medical error leading to a death is too many, and the reliance on computers in healthcare makes hacking and DOS attacks life-threatening events.)

Time for a New Model for Measuring Workplace Violence?

“Workplace violence is the act or threat of violence, ranging from verbal abuse to physical assaults directed toward persons at work or on duty,” according to the National Institute for Occupational Safety and Health (NIOSH). There are four perpetrator types:

  • Criminal intent (i.e., involving criminals)
  • Customer/client (i.e., taxpayers, students, patrons, patients, passengers, etc.)
  • Worker to worker (current or former)
  • Domestic violence (involving an employee, for example)

These labels are often used in the policy language of most research, government publications, and law enforcement agencies; K–12 schools; colleges and universities; churches; malls; concerts; and public gathering places, such as libraries. The four perpetrator types help academics and government researchers, security practitioners, first responders, human resources professionals, and those who seek to identify the connection between the attacker and an act. Our constant goal is that by understanding this nexus, we can develop ways to stop them, enhance the security, and improve the way we interact with each group, either as potential perpetrators or as potential victims. (How we treat people—as library patrons or customers who use our facilities and services—can make an enormous difference in their desire for revenge, a major factor that encourages or deters them from making threats or using violence.)

We can now define a cyber-driven workplace violence incident as one that can cause the injury or death of many people because the electronic or internet systems we rely on have been compromised, shut down, or held hostage. It’s time to make the case that a new fifth workplace violence perpetrator type should be cyberattacks, which cause fear, injuries, or the potential for actual deaths. We need more awareness-building through continuous education; better cyber-vigilance, starting in our K–12 schools; and advanced deterrence and denial software and hardware tools to combat what is clearly a growing threat to our peace and our lives. The bad guys should not have more advanced tools and techniques than our government, intelligence, and military agencies. We should not have to worry about the necessities that make civilized life possible—constant electricity, clean water, hygienic sanitation, and healthcare facilities—being extorted and forced into operating as if it were the 1950s.

A DOS attack or a successful ransomware attack isn’t just an inconvenience—it has the potential to be life-threatening. While it may be true that some of our fiercest foreign enemies lack technical sophistication, they can certainly buy the brainpower they need from other countries who hate us too. We continue to see so much in open source news about hacking attacks from China, Russia, North Korea, and Iran, as well as numerous others from unidentified attackers or anonymous nation-state actors. (Imagine what is not publicized by our own military or intelligence services and those of our allies.)

At a Jan. 26, 2023, U.S. Department of Justice and FBI press conference, Deputy U.S. Attorney General Lisa Monaco said, “Using lawful means, we hacked the hackers.” This referred to the government’s takedown of a notorious cybercrime and ransomware network known as Hive. “The Justice Department said that over the years, Hive has targeted more than 1,500 victims in 80 countries, and has collected more than $100 million in ransomware payments,” according to Reuters. A Canadian researcher working for a cybersecurity company called Hive “one of the most active groups around, if not the most active” (reut.rs/3ZNCBEy). Let’s hope this is the start of our stronger offense, not just a defensive posture, wherein we wait to be cyberattacked.

A Worst-Case Cyber-Scenario

It’s too painful to even think about a darkness falling over this nation, literally. Imagine digital terrorists shutting down the country, using keystrokes from thousands of miles away, not weapons of mass destruction. Let’s consider a worst-case scenario, in which 10–20 midsize American cities have their electric power grids taken down. How could this happen? By targeting their power stations, transformers, and electrical towers—not with bombs that destroy them, but with cyberattacks on the software that runs them. With no electricity, no internet, no basic human needs for water and hygiene met, and no civil protection, our society would crumble into lawlessness and despair—and quickly.

Consider the chaotic environment created if several major U.S. cities were to go completely without power for a week: Hospitals run out of diesel fuel for their backup generators; banks can’t open their vaults or dispense cash from ATMs; burglar alarms stop working after their batteries die; food spoils in homes, grocery stores, and restaurants; no gas from local gas stations can get delivered or pumped; no one can charge their cellphones; water pumps and wells won’t work; sewer treatment stops; there’s no heat in the winter or A/C in the summer; and emergency communications systems at fire stations, police stations, airports, aircraft control towers, and emergency operations centers stop functioning when their backup generators go down.

Think this won’t happen in our lifetime? Southwest Airlines had a major software shutdown over the 2022 holiday season that crippled its operations and reputation. The Federal Aviation Administration’s national air traffic control system known as NOTAM (Notice to Air Missions) had a 90-minute shutdown in January 2023 that created the largest single-event aviation ground stop since the 9/11 attacks. Had enough doom and gloom with just these two non-life-threatening scenarios? If our lives are put at risk, we will enter a Digital Stone Age.

What will happen if they do knock out our power grids, power plants (nuclear, gas, coal), mass server sites, water supplies, sewer treatments, and hospitals? And our libraries? It’s time to make our case for a new fifth type of workplace violence perpetrator: the cyberattacker. Libraries are a component of our national heritage and identity and are part of the strength of our communities. Library leaders and staffers need to do their part, every day, to keep internet and intranet access safe in their facilities.



How Vulnerable Are You? Questions to Ask IT

Library leaders need to have an honest discussion with the IT/information systems (IS) professionals responsible for keeping the library's network, servers, hardware, and software systems protected and in working order. This includes these questions:

  • Even if our data is backed up nightly to an off-site location or a cloud-based system, if we were to get hacked, what is the potential for data loss in time? Is 24 hours' worth of data gone? Less? More?
  • Have we ever conducted a worst-case scenario drill? If so, what was the scope, and what did the outcome tell us we still need to do?
  • Do we make regular changes in our network access systems, so that we don't trade security for convenience with our passwords and with whom we allow to access our servers?
  • Is there a complete removal process for server access that IT/IS uses when one of its employees leaves, even under pleasant circumstances? Since many library employees at all levels worked from home during the pandemic, have we removed all remote access capabilities since then? If not, who still has them and why?
  • Does the IT director or manager have a physical sign-in/sign-out procedure each time any employee goes into our server room? Have we considered installing a camera over the server room door to be able to see who enters?
  • What type of fire control system do we use for our server room? Since halon is usually no longer used, do we have a CO2 or FM-200-type fire suppression system?
  • How often is the air conditioning system in the server room serviced?
  • If money was not an issue, what systems, procedures, or policies would you put in place to fully protect our server systems? Can we buy, install, or change portions of those perfect-world solutions to create better best practices?
  • What three things do you want all library employees to do when it comes to protecting our IT/IS systems?
  • What three things do we need staffers to remind all patrons to do to help us protect our IT/IS systems?
Votes: 0
E-mail me when people leave their comments –

You need to be a member of Library 2.0 to add comments!

Join Library 2.0

Comments

  • Reading this reminded me of when I experienced digital harassment via the library's ILS. Around 20(!) years ago, I had books on lesbian relationships appear on my desk. This was clearly from a fellow staff member using my library card to place holds on the books. 

    I wrote this up and reported it and didn't think of this again until reading about the model of workplace violence model. Yes! digital media can be used to commit verbal violence/harassment, even a library's circulation system!

This reply was deleted.

Dr. Steve Albrecht

Since 2000, Dr. Steve Albrecht has trained thousands of library employees in 28+ states, live and online, in service, safety, and security. His programs are fast, entertaining, and provide tools that can be put to use immediately in the library workspace with all types of patrons.

In 2015, the ALA published his book, Library Security: Better Communication, Safer Facilities. His new book, The Safe Library: Keeping Users, Staff, and Collections Secure, was just published by Rowman & Littlefield.

Steve holds a doctoral degree in Business Administration (D.B.A.), an M.A. in Security Management, a B.A. in English, and a B.S. in Psychology. He is board-certified in HR, security management, employee coaching, and threat assessment.

He has written 25 books on business, security, and leadership topics. He lives in Springfield, Missouri, with six dogs and two cats.

More on The Safe Library at thesafelibrary.com. Follow on X (Twitter) at @thesafelibrary and on YouTube @thesafelibrary. Dr. Albrecht's professional website is drstevealbrecht.com.

Safe Library Short Tips (+ Dog)

Go to all videos.

Buy the Book

"20 SAFE LIBRARY GUIDELINES" HANDOUT DOWNLOAD

PAST WEBINARS - RECORDINGS AVAILABLE

CLICK HERE

 

Praise for Dr. Albrecht

"Thank you, thank you, thank you! Thank you for presenting at our staff development day. Our staff has expressed their appreciation for the information and tools you provided. We know the lessons learned will be useful in our day-to-day work. It was a pleasure to have you with us -- even if it was only virtually." - Athens, GA Library

"I wanted to thank you for the session. My husband was listening from the other room and said, 'Wow, that was great!' This was the best library workshop I've been to, and I've been to a lot! The staff was saying the same in emails." - Emily from MI

"Your suggestions of what to say to challenging patrons will really help me once we allow patrons back into the library. Thanks!" - Lori from IL

"Not only have I learned incredibly valuable skills to use in my career as a public librarian, those lessons will have a ripple effect as I teach a course on Social Crisis Management... I always give Dr. Albrecht the credit in the portions of my lecture and presentation.  And have first hand experiences using these lessons to support his approach. Thanks again for lending your expertise to ensure that as librarians we can remain safe, keep our customers safe and still deliver on our mission and the meaningful work we do each day." - Jen 

"You helped to keep my brain from turning into mush during this long time off. Thank you!" - C. from MO

"I was able to view Library Safety and Security and Interacting with the Homeless. I learned so much and appreciate the education you offered.  I became aware of changes, large and small that I can make in my life to enhance how I interact with all people. I do hope our library offers your classes in the future because I did not view all the webinars that I wanted to and I am sure my coworkers feel the same. Thank you again." - Vicki from VA

"I wanted to send you a note of thanks for your webinars... I watched 5 of them and found them to be incredibly informative. Currently I am working with my library's director to put together a situation response manual for safety and security matters that apply to our own library... What you have shared has been very useful to help set up some guidelines and decide a good direction for training within our organization. Thank you so much for sharing your insights." - Jennifer from IN

"Thank you for the great content. I appreciate it." - Carmen from MT

"[I] found [your webinars] extremely helpful and informative. Thanks again and stay safe!" - Christine from PA

"I remember when you came to our Annual Employee Training Session and presented a terrific class. I was able to view all of your webinars during this time and I learned so much. Your generosity of spirit during this pandemic is truly appreciated and your kindness will be remembered. Thanks again and Cheers." - Bernadette from CA

"We have watched a couple of [your webinars] in the past and they always provide a great approach to issues that are becoming more and more common in public libraries." - Rod from TX

"Your webinars were educational and inspiring." - Karen from GA

"I have recently watched all your webinars... (this begins to sound like a groupie saying, "I have all your records!") and I'm so grateful to have had the opportunity to learn from them. They were probably the best work at home professional development material I encountered in the two months my library has been closed. I've worked in public libraries since 1988 and everything you said makes sense in my experience. I look forward to putting what I learned from your webinars to use when we eventually reopen to the people the library exists for. Many thanks!" - Barbara from BC Canada

"I've learned a lot from your diverse offerings as I knew that I would. I listened to 4 of your webinars at this run. I also attended your talk last year at one of our branch libraries. I hope that your presentations remain in my mind and that your practical, philosophical and respectful methods of engagement can be brought forth in times of need." - Deborah from CA

"We don't always take the time to do online courses or participate in webinars because of time and money restraints. We have been lucky to have the time now to take advantage of these opportunities. Your webinars really pack a lot of info in the time allotted. Your observations and surveys conducted with staff across the country made this applicable and the reality. Many of the situations described sound like our day to day interactions with patrons. Again thank you so much for these valuable webinars. I hope we will be open soon and able to put your tips into practice." - Kathy from MD

"I’ve really enjoyed all of your webinars, especially the ones about security and challenging patrons, and I’ve gained some useful knowledge that I can utilize at my library. I hope you have a wonderful day! Thanks again!" - Deborah from OH

"You're the best of the best." - Nick from CA

"I have found your webinars especially helpful during this time of stay-at-home orders and the inability to report to work for my daily schedule. (My branch is closed indefinitely.) I have especially found "Interacting with the Homeless" and "Stress Management for Library Staff" as the most help to date. I have been doing daily meditation as a stress reliever and taking time to find happiness despite all that is taking place in this world.... having this opportunity to listen to your thought-processes is very invigorating and life-changing. Thank you from the bottom of my heart." - Danielle from MD

"[Y]ou've expanded our minds and helped us greatly with your generosity. Thank you for all that you do, I appreciate it immensely." - Valerie from TX

"Thank you very much for your work and very good webinar." - Donna from IN

"I appreciate your vast knowledge on patrons and safety situations." - Mary from IL

"I've long wanted to explore your work, and have enjoyed and learned from 4 of your webinars so far, with plans to view them all. They are excellent! I am charged with leading our staff around issues of safety and security in our rural system, and you are a clear and dynamic voice in our field. I really appreciate your experience, knowledge, and presentation style, down to talking fast to get the most information into the time of the presentation! Hopefully, I'll be able to obtain the new edition of your book soon, as I hope to keep these themes as relevant currents for the duration of my career." - Kimberlee from CA

Additionally:

"Thank you for your wonderful `Safety and Security in the Library' presentation. I so appreciate that you were able to join us virtually this year and share your knowledge on these topics with our library staff. I look forward to exploring some of the resources you shared with us."

"Thanks so much for recording the presentation. It was fantastic!"

"Thank you, Dr Steve, for your presentation today. It was very helpful and insightful. Your subtle humor also lightened the mood."

"I wanted to reach out and thank you for all the information that you gave in your webinar on conducting a library facility security assessment."

WEBINARS

PODCASTS

BLOG POSTS

DEALING WITH CHALLENGING PATRONS - UNLIMITED STAFF TRAINING VIDEO

Watch Dr. Steve Albrecht on video and onstage, as he presents his safety and security workshop, "Dealing With Challenging Patrons" to a live library audience. 45 minutes for unlimited staff showings at a one-time $495 fee or included in any all-access pass program.

PURCHASE HERE