Working openly while staying secure
The Boijmans museum building has been closed for some time due to major renovations. Luckily, visitors have been able to visit the Depot for a few years now: the world’s first publicly accessible museum collection storage. ‘A place where you store such valuable objects should ideally be as secure as possible,’ says Scheffer. ‘Anyone who enters can affect the collection. Still, we want to show all these objects to as many people as possible. That’s a tension.’
That dilemma is similar to the security challenges in Scheffer’s own field: ICT. ‘Digitally, you also want to work as freely as possible. At the same time, you need to protect your information and systems well.’
Working securely in the office, at home, and on the go
When Scheffer started at Boijmans in 2017, cybersecurity was not high on the agenda. ‘At that time, everyone worked in the office, and much information was only available there. That was secure but not flexible. As more people began working from home or on the go, we had to adapt our systems to that. It makes work easier but also introduces extra risks.’
Scheffer had spent the past twenty years in consultancy. In that field, things were very different. ‘Everyone there had long been walking around with a laptop under their arm. As a consultant, you often visit clients. It’s handy if you can access your files then.’
That experience helped him adapt Boijmans’ systems to the desire to work from anywhere. ‘We are now more secure than ever. At the same time, we are demanding more and more from our systems. Fortunately, more and more tools are being developed to make that possible.’
Access only when necessary
Security and usability don’t always go hand in hand. One example is multi-factor authentication (MFA), where you confirm ownership of a laptop, phone, or email address through multiple steps. Think of entering a code or scanning your fingerprint. It’s safer but takes a few extra seconds.
The same applies to the digital screens in the museum, Scheffer explains. ‘It’s convenient if a supplier can adjust something remotely. But that person must then have access to our network. That’s not secure. That’s why our rule is: we only grant access when it’s really necessary.’
Putting digital security on the agenda
To meet today’s demands and requirements, increasingly complex systems are needed. This sometimes raises questions among long-standing employees. ‘They sometimes say: this was possible before, why not now? Or: ICT should help me do my job better, right? I do my best to make that happen, but I also need to prevent risks.’
It’s not always a grateful task, Scheffer knows from experience. ‘When everything works, you hear nothing. Only when something raises questions or irritation do people come to you. That’s why it’s so important to educate employees about the risks we face if we don’t work securely enough.’
Recognizing and preventing phishing
A turning point was an incident where an account was hacked. Fortunately, the damage was minimal, but the incident put cybersecurity on the agenda. ‘Cybersecurity isn’t just about technology: often, the human factor is the weakest link.’
That’s why Boijmans organizes recurring training sessions for employees. The museum also regularly conducts tests, for example, with phishing emails, so colleagues learn to recognize such messages. ‘We try to make employees aware of risks, but not everyone is equally easy to reach,’ Scheffer observes. ‘Especially floor staff have little time for training. It would be great if we, as a museum, could also give these colleagues the opportunity to delve into this.’
Moreover, it’s important that colleagues see the value of such training. ‘I try to relate the importance to their personal lives. At home, you also don’t want someone accessing your bank details. That comparison helps.’
Protecting key systems
For museums, there are few standards regarding cybersecurity. ‘When it comes to the physical safety of art, there are clear rules. Digitally, it doesn’t work that way: we have to determine for ourselves what’s good enough. That’s sometimes challenging: I’d like to know the level I should aim for.’
To map out that goal, Boijmans commissioned a study by an external party. ‘We looked at where we stand now, where we want to go, and what’s needed to get there. We also determined which information is most important and should be best protected: the museum’s crown jewels. ‘Our collection registration system is our most important crown jewel. It contains the locations of artworks, as well as data about artists and donors. Financial and legal information is also sensitive. Think, for example, of files about the provenance of a work. You don’t want that to end up in the wrong hands.’
Collaborating securely
Museums collaborate with various partners, such as suppliers and external parties. ‘They often use their own laptops or phones. This makes it harder for us to guarantee security. That’s why we use fixed digital environments, such as Microsoft Teams, where you can set who has access to which documents.’
Some colleagues find such systems challenging, Scheffer notes. ‘They prefer sharing files via other platforms, such as Dropbox or Google. But then we lose oversight. That’s why we continue to encourage colleagues to use the fixed routes.’
Continuing to work on digital security
The museum still uses systems chosen long ago. These don’t always meet today’s requirements. ‘Cybersecurity should be the first criterion when selecting systems. Hopefully, we’ll reach a point where all our systems meet our needs.’
Scheffer hopes that maintaining cybersecurity will become much easier in the future. ‘Passwordless login, for example, is becoming increasingly common. That’s both safer and more user-friendly.’
For Scheffer, cybersecurity is never finished. ‘It’s not a project with an end date: the field keeps evolving. Fortunately, museums can help each other stay up to date. Many colleague institutions have the same questions. By sharing experiences, we can move forward together.’
Five tips for a more cyber-secure museum
Determine your ‘crown jewels’
You can’t secure everything to the maximum. First, identify which systems and data are most important. These deserve extra protection.
Create a plan with clear steps
Assess where you stand now and where you want to go, possibly with the help of an external party. Then create a roadmap with concrete actions and a realistic timeline.
Invest in awareness
Employees play a major role in digital security. Organize short training sessions and repeat them regularly. Make them practical and relatable, with examples from daily life.
Opt for secure standard solutions
Work as much as possible with the same systems, including for file sharing. This way, you maintain control over who has access to which information and prevent employees from turning to less secure alternatives.
Include cybersecurity in every new decision
Are you buying a new system or starting a new project? Always ask: how is digital security addressed? Make cybersecurity a standard part of your decision-making process.
Author: Anne Louise van den Dool
More articles per topic
