Step-by-step plan: cybersecurity in cultural organizations

“We are seeing more and more digital threats,” says Christine. “Sometimes specifically aimed at cultural institutions, sometimes at organizations that do not have their security in order. In the latter case, cybercriminals see an opportunity to extort those organizations. It is important that cultural institutions arm themselves against such threats to become resilient and robust together. Among other things, the online Cybersecurity Tool exists for this purpose. “This step-by-step plan is a great addition to it. We want to help the cultural sector better prepare for possible incidents. And if something does go wrong, we also provide a framework to respond more effectively and, where necessary, restore things,” adds Gijs. The Cybersecurity Tool provides an action list with clear instructions to get your basic security in order - today. That is the first step that a cultural organization must take. After that, you start working with the step-by-step plan for further in-depth measures and additional actions.

Why cybersecurity is an urgent theme in the cultural sector is

The cultural sector frequently uses digital systems, for example, for ticket sales, donor management, and the registration of art collections. This makes institutions vulnerable to cyberattacks. Think of data breaches, ransomware ('hostage software' that can cause significant damage), or even sabotage of climate systems in museums. The impact of an attack can be significant. Think, for example, of financial damage, reputational damage, or legal issues.

Gijs and Christine provide some examples of what could go wrong. A museum could experience a data breach, exposing personal data of visitors and donors. Some museums receive phishing emails almost daily, where a mistake is easily made. Another example is a museum losing access to its digitized collections due to a ransomware attack. Theaters, for instance, could be hit by a DDoS attack, causing the ticketing system to fail. Christine: “And these are not hypothetical scenarios where you might think it won't happen to your institution. This is a realistic threat that could occur on any given day.”

Protect the 'crown jewels' of your cultural institution

The Cybersecurity Step-by-Step Plan discusses 'crown jewels.' These are the most essential processes, systems, and data for an organization. For a museum, this could be a digital art collection and climate control, while for a theater, the reservation and ticketing system is crucial. Without these 'crown jewels,' an organization cannot function. Therefore, it is crucial to identify and secure them properly. As a cultural institution, you must map this out thoroughly and take action.

Christine: “This includes asking yourself whether it is possible to cover all risks. In practice, this will be very difficult, so you also need to consider 'risk acceptance.' This means determining which risks you accept.” To make a good assessment, your organization must answer three questions:

• What can go wrong?
• How likely is it to happen?
• What is the impact if it happens?
  

Based on this, you can make choices about which resources your organization uses to mitigate and/or accept the risks. This way, it becomes a conscious decision. 

Effective measures

To manage cyber risks, the step-by-step plan discusses various control measures, including:

• Governance: Assign ownership for critical processes and ensure clear procedures.
• Policy: Set requirements for suppliers and implement a clear security policy.
• IT security: Use strong authentication, network segmentation, and encrypt sensitive data.
• Awareness: Regularly train employees in cybersecurity, for example, in recognizing phishing emails.

Ongoing process

Gijs emphasizes that cybersecurity is not a one-time action. “It is an ongoing process. Threats are constantly changing, and organizations must keep testing their measures. That is why it is so important that we are launching this step-by-step plan now to lend a helping hand to institutions.” And what is also incredibly important is that the topic is regularly discussed within organizations and that there is a culture where potential problems can be openly discussed. Christine: “Employees should feel safe to report incidents, for example, if they accidentally clicked on a phishing link. Organizations must learn from mistakes and analyze incidents to implement structural improvements. Training and awareness are crucial in this.”