InfoSec Community Outreach Tips — Part 1.1: Public Libraries — Presentations for Librarians

Welcome back! I’m assuming that you have already read InfoSec Community Outreach Tips — Part 1: Public Libraries and you are now ready to actually craft your “InfoSec 101” presentation for librarians. As previously stated, an introduction to information security talk for librarians will look a lot like one used for a “regular” office workplace, with some personal security mixed in. A talk primarily for library patrons, will be a consumer-focused type of presentation. That will be the next blog post.

Keep in mind that many librarians have a Master of Library Science or a Master of Library & Information Science degree, and/or have vast years of experience working in library science. Some librarians are very tech savvy and you will need to up your game! Other librarians have strengths outside of tech.

• Do not even try to explain doing research to a group of librarians. They will drop you like a bad habit, with a smile.
• Keep your talk informational and informative without being condescending. They want to learn. Provide more in-depth explanations as needed.
• Librarians love resources, so check yourself before you wreck yourself — get those citations correct and give links/resources for further reading.

Slide Deck Content Suggestions. Your mileage may vary. Talk about what you feel comfortable about presenting. Feel free to use my suggestions, or don’t. Stick to your wheelhouse of knowledge and you’ll be fine!

1. Explain yourself. You don’t have to completely blow your OpSec, just explain why you are qualified to speak on the subject of information security.
2. Describe the state of the industry. I usually find some headlines to show that explain where we are today, things like the labor/skill shortage, how much cybersecurity spending there is, and what cybersecurity crime costs companies. All of these headlines to give as examples are easy to find.
3. Security vs Privacy. Librarians are very familiar with privacy issues, plus there are already great programs available specifically for librarians by librarians about privacy. Check out Alison Macrina and the Library Freedom Project. See also this article, Librarians versus the NSA. It’s helpful to give a quick explanation of the differences between security and privacy, but I recommend that you refer librarians to the privacy resources geared to them.
4. Vocabulary words. No, knowing InfoSec terminology will not keep anyone safe. However, it will help them to better understand the headlines and news stories they see every day. Also, it could be helpful for them to better communicate with their IT Department (if they have one) if they know some of these words. Choose ones that make sense for the environment. Explain what ransomware is, in a non-technical way. Tell them what cryptojacking is and how to protect against it. Find links to online glossaries as a resource for them to use later.
5. Explain IoT. It may surprise you that a lot of people outside of our industry are not familiar with the term Internet of Things. Talk to them about what it is, how their toaster could become a part of a botnet. Show them Shodan. Emphasize the importance of changing default passwords for IoT devices.
6. Resources. Librarians love information. Tell them about the websites that are good for getting InfoSec news, especially ones that are less technical and more consumer-friendly. Forbes has increased their InfoSec coverage lately and doesn’t seem to be spewing bad info like some other sources that shall remain nameless. Tell them about books, like The Cuckoo’s Egg, that are great to add to their library’s collection and fun to read. I even tell librarians about the DBIR, Verizon’s Data Breach Investigations Report. Why? It contains great information in an easy to understand format, plus it’s something they can direct patrons to if they need industry information. Remember, you’re not just educating the librarians, you are helping them better serve the public by making them aware of tools, tips, and resources.
7. Phishing. Easy peasey. Go over common red flags and strategies to detect phishing emails. Show them things like VirusTotal and URLscan, for example, as free online tools to see what some of those links are all about.
8. Social Engineering. Yes, phishing is SE. But, go into SE tactics over the phone, text, and in person as well as email SE.
9. Basic Cybersecurity Hygiene. It doesn’t hurt to go over the basics like passwords, password managers, Multi-Factor Authentication, etc. Talk to the about the importance of backups, and the best methods for their situation.
10. OpSec. Explain the concept of operational security, things like don’t take photos to post on social media that could contain something that could compromise the library like a password on a Post-It Note or whiteboard. Ask them how much information about the library staff is on their website, and does it need to be there?
11. PII. Libraries collect information about their patrons. See how they retain that information securely. Ask if they need to collect that much information. Inquire if they ever purge old information. Explain to them why insecurely keeping PII is a security issue.
12. Help. Give them resources where they can reach out for more help, especially if they have a cybersecurity incident. Tell them to practice tabletop exercises in the event of a ransomware incident. Make sure they know what help is available to them, and who they should contact, FBI, etc. Your job by talking to them is to give them some education, then leave them with resources, tips, and contacts for them to use on their own.

This list is not exhaustive, but just a sampling of the types of things to talk about in regards to Information Security with librarians. Feel out your situation. Talk to the Library Director on what their biggest concerns, fears, or issues are. Don’t go on for 20 minutes about cloud security, if what they really need is to understand what a phishing email looks like. Read your audience!

Look for more entries to this on-going series. Next up will be guidelines of giving an “InfoSec 101” talk to library patrons.