When it comes to securing your event-calendaring, room-booking, and reading-logging programs, you really can’t be too careful. After all, you’ve been entrusted with sensitive patron data—not to mention the fact that a security breach can mean real headaches and a lot of cleanup work for you.
Fortunately, protecting your systems from potential troublemakers is easy.
If you use Events, Room Reserve, or Summer Reader, it just takes some simple configuration and a little discipline. And if you use SignUp, Spaces, Wandoo Reader, Dibs or BrainHQ? Although more rigorous security settings are the default, there are still some things you can do to be even more secure.
Just because you’re paranoid doesn’t mean they aren’t after you.
—Joesph Heller, Catch-22
Ask Evanced Manager of Quality Assurance and Customer Support Todd Feece and he’ll tell you that classic Catch-22 quote really applies. Funny thing is, Todd is (mostly) a trusting guy. But he has seen the aftermath of a number of security breaches over the years, so not much surprises him anymore.
One customer he recently worked with had a security mess on her hands, because an unidentified person logged in to Room Reserve and archived multiple reservations.
“Now she has double-bookings going on. One Saturday she had two groups that showed up and said, ‘Hey, we’re here for our meeting. We want the space. Here’s our confirmation email with our confirmation code’ and, when she looked in the approved, there was only one listed, but, when she looked in the archive, the other one was listed,” Todd explained.
Someone had also gone in and changed some of her saved reports. But why? Todd speculated, “It could be a disgruntled employee, a PO’ed volunteer, an annoyed patron. There are any number of possibilities there. People do weird things, and people are vicious sometimes.”
The good news is there are some very simple practices you can implement which will make a big difference.
1. Use Unique Usernames and Passwords
Enabling unique usernames and passwords is easily the most effective tactic you can employ, so you should make this your first line of defense.
In Events and Room Reserve, you can set up login with individual usernames and passwords or you can have a password-only login. In libraries using the password-only configuration, generic roles like Admin, Staff, Volunteer, and Read-Only have their own passwords, but multiple people share those passwords.
“What we recommend is that they go for that next level of granularity and add a username. That way each person who is signing on to their system has a unique sign-on,” Todd said.
Doing so enables you to see who was the last to touch a particular item. “So, then we can isolate it and say, ‘It’s this user doing it.’ And, if they come back and say, ‘That wasn’t me,’ then we know that their individual account has been compromised and they need to change their password,” he added.
Not sure how to get granular? In Events and Room Reserve, if you have user logins enabled, you can access them in the “User Logins” link on the staff side of your software. If you have multi-branch enabled, use the drop down menu at the top to select the “All Branches” option. Once there, just click on “User Logins” to manage your users. For single branch, click on “User Logins” and manage your users there.
Watch this short screencast, to learn how to set up individual user names in Room Reserve.
Or see below, to set up individual user names in Events.
2. Enable the ‘Auditing’ Feature
Not sure you want to mess with individual logins? You can choose to enable the “Auditing” feature instead. (And, if you do plan to use individual logins, you can also use auditing simultaneously, if you prefer.)
Activating this feature can help you troubleshoot when something goes wrong. “Let’s say you’re trying to figure out, ‘Well, who published this event? It’s not up to our standards as a library,’” Todd said. “Auditing makes it fairly clear who is doing what. So it can lend itself to protecting the data, but it also helps to identify who’s making a mistake, or who is taking what action and where.”
But here is one auditing caveat: auditing can store the name or initials of one person on the staff as a cookie or in the cache. That means, if a common computer is being used, any actions taken may show up under a cached user’s name, rather than under the name of the staffer who actually may have taken a particular action.
Watch this screencast to see the best way to enable the “Auditing” feature in Events.
Although it is possible to update multiple library branches at a time in Events, we recommend enabling auditing for individual branches, one at a time, via their own settings pages. That’s because, If you enable auditing via the “All Branches” settings page instead, you might overwrite some settings for other library branches that you didn’t intend to. (For instance, let’s say Library Branch A has Setting 1 turned “off,” and you were to go into Branch B and turn Setting 1 “on” and apply it to all branches. Branch A will then have Setting 1 turned “on” as well.)
To see how to enable auditing in Room Reserve, check out this screencast.
3. Change Your Passwords Regularly
This one seems like a no-brainer, but how often do any of us actually change our passwords regularly?
“The reason behind it is that we’re warehousing a lot of patron data in there. You’ve may have the patron’s first name, last name, phone number, email—all data that you want to keep secure. You don’t want someone in the community or a rogue element having access to that,” Todd noted.
A “rogue element”—really? Nodding, Todd recalled one library that offered a scholarship based on the number of book reviews entered during its summer reading program: “A teen went in and deleted reviews to kind of pad his own stuff. I’m not kidding you. This has happened.”
Passwords can be compromised if a staff member logs into your system via a public computer in the library and accidentally walk away without logging out. This paves the way for anyone to get access. The same goes for anyone logging into the system from outside of the library.
If you are using SignUp, Spaces, Wandoo Reader, Dibs, or BrainHQ, these products have an automatic session time-out after 20 minutes. “The session will end if a staff-side user is inactive for 20 minutes. At approximately 18 minutes of inactivity, there is a modal that will pop up, indicating that their session is about to expire. The 20-minute duration is considered best practice, based on industry standards for the kind of data we have in our products,” Todd said.
Of course, changing your password regularly won’t do much good, if your password is “Password” or “Password1,” “Password2,” and so on. People still tend to choose terribly weak passwords.
A good general rule is that your passwords should be at least eight characters long and should include a mix of upper and lowercase letters, symbols, and numbers.