FEATURE
Protecting the Electronic Devices in Your Library
by Steve Albrecht
Some of these devices might belong to patrons, with most belonging to the library; they all need protection from theft, vandalism, and cyber-sabotage. |
In his 1914 poem “Mending Wall,” Robert Frost writes “Good fences make good neighbors”—meaning it’s often useful to have boundaries around the things we value. There are plenty of expensive items in your library, ripe for the picking, including art exhibits, rare books, folios and manuscripts, genealogy collections, photographs, and your electronic equipment. The question you need to ask is, “Are we protecting our physical devices as well as we are protecting our internet/cyber presence?” This balance between safeguarding the physical boxes and what exists in the cloud is equally important.
Better Security Starts With an Assessment
The electronic devices in your building should be near the top of your list for protection. Some of these items belong to the facility, some to the employees, and some to the patrons. This includes our staffers’ or patrons’ smartphones, tablets, laptops, gaming consoles, laser and color printers, 3D printers, PCs, computer lab room equipment, and training room equipment (such as flat-screen TVs and ceiling-mounted or desktop projectors). Don’t forget all of the accompanying equipment, like router devices, remotes, mice, keyboards, and specialized power supply cords—all of which can be tedious and sometimes expensive to replace. Some of these devices might belong to patrons, with most belonging to the library; they all need protection from theft, vandalism, and cyber-sabotage.
Consider that the most valuable room in your library is one you probably don’t think of much—until there is a problem with its contents, and then the collective stress in the building soars. Your IT server room houses the network devices that keep your library online. Where we place this equipment sometimes feels like an afterthought, usually in a closet-like room in a back-office hallway. The locks for this important room range from none, to too cheap, to electronic access key cards with only a few card holders—which is what it needs to be.
The federal government uses a term to describe a room that either houses the most important cyber-related national security devices or is used for super-secret meetings and conversations. It’s called a SCIF (sensitive compartmented information facility). This long-winded definition is used for specially built rooms where access is tightly controlled and what is said or typed inside needs careful protection from damage, sabotage, theft, fire, or cyber-assaults.
While your library doesn’t need to build a lead-lined room complete with white noise machines to prevent electronic eavesdropping, you do need to treat the room where you house your IT server equipment with nearly as much care. You can start by upgrading the door lock, making sure only a select few library leaders (along with the IT manager or IT vendor) have either the hard key or the key card. No employees should be able to access this room without permission or unless they are on a need-to-be-inside-there basis. Consider this room to be the heartbeat of your network operations.
Lockdown
Most full-service libraries have a dedicated training room (a computer lab), using that space to provide training to seniors, students, and anyone else who wants to become computer literate or further skilled. The typical design is a row of tables with PC monitors, keyboards, and mice. Some keyboards and mice are wireless; others may be attached by USB cables. There may be a collection of library-owned laptops and tablets in this room, and they are often stored in nearby racks. Some of these racks are lockable, providing an additional layer of protection in the room, especially when it’s unsupervised.
We are certainly familiar with the value and necessity of cables and the accompanying locking systems that can be used to secure PCs, laptops, and tablets. These should be a constant part of your security protection for these devices in all parts of the library where they are provided. However, in our need to trade security for convenience, on occasion, library staffers or computer class instructors will not lock down every device, because they will be right back or will use them for another program later in the day. It’s in such unguarded moments that these machines can disappear. Thieves wait for the right moment, when we fall into the mindset that nothing has ever been stolen before and therefore fail to use the security devices as required. This is known as the Myth of No Past Problems, and it can lead to feelings of “should have re-locked them” regret later.
Asset Tags
Besides the value of locking cables, two often overlooked deterrents are affixing asset tag labels to the devices, or, better yet, engraving them. We can divide the types of people who would steal a library PC, laptop, or tablet into three categories: someone who doesn’t have one and takes it for their own personal use, someone who takes it and plans to resell it online (eBay, Facebook Marketplace, etc.), and someone who takes it with the intent to pawn it. (Keep in mind that most pawn shops—legitimate or otherwise—only pay 10% of the item’s face value, so a $600 iPad only gets them about $60.)
Asset tags are specially designed metallic printed labels with your library’s name, location, and phone number on them. Some say Property of ABC Library—XYZ Branch, and they are hard to remove without defacing the item. Most legitimate pawn shops won’t buy a device if they see the tag has been removed. Some asset tags are also printed with an equipment number, which can be useful for inventory control by keeping a master list of all devices. It helps our peace of mind to do a hard count of the total inventory of items marked with asset tags at least semiannually, if not quarterly. It’s even better to have the back of the equipment engraved with Property of ABC Library and perhaps a phone number. Again, most legitimate pawn shops—and, we hope, most honest eBay or Facebook Marketplace buyers—won’t purchase these clearly stolen items.
Access Control
These suggested physical deterrents are best enhanced by key control of the rooms where equipment is used or stored, access control policies that all staff understand and follow, and staff vigilance while they are being used. There is an old saying in security, which is, “Hard metal keys offer no key control at all.” Even keys that are stamped Do Not Duplicate can be copied by less-than-scrupulous locksmiths. If you are serious about controlling access to the rooms that house your most expensive equipment, then you need to move to electronic card readers. Unlike hard keys, which can end up anywhere, including being stolen from an employee’s key ring by an observant thief posing as a patron, key cards are easily deactivated and replaced. Plus, they can be graduated to only allow authorized employees to use the room, not every employee. Most systems can provide proof—via the accompanying software—about who entered the room and when, which can be useful to determine when the room was used and later secured.
Security Cams
The use of cameras inside a computer lab is the subject of a spirited debate. Some library people argue that cameras in these rooms create a Big Brother feeling. They also reason that cameras don’t prevent thefts—they only show what happened and usually only long after the incident took place. Banks have cameras, and they still get robbed. This is mostly true, but that shouldn’t minimize the deterrence value for cameras, especially if people using the room know the cameras are in place. (There is no implied expectation of privacy in a room accessed by the public, save for restrooms, locker rooms, and changing rooms, so libraries can install cameras, even without notice, in a publicly used training room.) Aside from recording what happens, these camera views can help isolate the person or people who stole the equipment, using screen-capture photos, which are of much higher quality now than in years past.
Asset Monitoring
In a perfect library world, you would have two staff members assigned to any computer classes: one teaching and leading from the front of the room and one who stays primarily in the rear of the room, moving about among the class participants to answer questions and helping with the learning, but also keeping watch over the equipment, especially as the class ends and people begin to leave. It should be an enforced rule that no PC, laptop, or tablet user can have a bag, purse, or backpack on the desk when using these items; they need to be kept on the floor, so the equipment stays visible at all times. All staffers should pay careful attention that no electronic items are stashed in those bags before leaving. These critical elements are best used before our devices or the patrons’ devices get stolen. Learning the painful lesson about a massive equipment theft after it occurs is expensive and demoralizing. (I recall one finance director telling the library director, “Any big-ticket item that gets stolen and has to be replaced is just less money you have to hire more staff or to spend on more staff development activities.”)
Calling the Cops
There are some in the library world who don’t believe there is any value in calling the police to report thefts of any items in the library, either because they don’t want the police in their building for any reason, or, more likely, they don’t believe the police will ever recover the property or catch the thieves. This is not a useful belief for several reasons: Reporting crimes sends a message to potential thieves (word gets around on the streets) that there are indeed consequences for stealing from the library; that stealing any item worth more than $1,000 becomes grand theft, a felony in all states, which means the thief can go to prison instead of jail; and that because some thieves steal the same types of items from the same places—e.g., laptops from several libraries—their criminal patterns can lead to their arrest. All of this starts with a petty theft or grand theft report, taken by a patrol officer or patrol deputy and followed up on by a police or sheriff’s detective. If your library plans to make an insurance claim for any theft items, your provider will need a police report to process the claim.
And speaking of reports, the past can be a useful predictor of the future, in that your review of 6 months to 1 year’s worth of security incident reports (SIRs) can point to theft trends and can help you decide how to allocate your budget resources, especially when it comes to protecting your electronic devices.
|