Cybersecurity Protections and Patron Privacy are Library Priorities

News headlines nearly every day carry warnings about cybersecurity data breaches and theft of customer information. It’s become an alarming trend for governments, health care institutions and private companies.

Johnson County Library works diligently to guard against these threats and to protect patron privacy.

In March of 2022, Johnson County Library hired John Siceloff as its first full-time Cybersecurity Analyst. Since then, he has been laser-focused on protecting the Library’s systems, online services and patron information. He is part of the Library’s Information Technology (IT) team that shares those priorities, and also works closely with other security analysts throughout Johnson County government.

As threats constantly evolve, these security analysts work hard to keep ahead of the bad actors.

“We take a very pro-active approach to cybersecurity,” Siceloff said.

The mantra, he said, is “We protect the confidentiality, integrity and availability of Library assets.”

Siceloff reports to Information Technology Manager Michelle Beesley, who oversees a team of 12 professionals. Beesley said her team has grown in recent years, and security has become an increasingly crucial part of everyone’s role.

“Library administration and the Library Board are very supportive of building and maintaining a culture of security here at the Library,” Beesley said. “That’s the overarching theme. We are assigning people resources and budgetary resources. All Library employees take regular security awareness training, to encourage security best practices.”

So far, that culture has helped Johnson County Library avoid recent cyber or ransomware attacks like those that have affected Kansas City and Jackson County governments, the Kansas court system and the Scout traffic camera system.

Siceloff and the Library’s Learning and Development team provide the security awareness training. All new employees receive training as part of coming on board. All staff participate in regular training as well.  

“There is an annual baseline training for all,” Siceloff said. “There is monthly video training and a monthly email phishing simulation.”

Training is required even for part-timers and even for County Librarian Tricia Suellentrop and other top managers.

“Our employee compliance with the training requirement is very good,” Beesley said. “We are very consistent on that front.”

Key strategies in use by employees to ensure security of Library technology include: recognizing and reporting phishing emails, using strong passwords, using multifactor authentication for sensitive log-ins (for example, verifying identity by receiving a code on a cell phone), and keeping software and hardware updated.

These basic principles and techniques do not require IT training and can be used by everyone daily as well to avoid cybersecurity threats.

Beesley said there are solid security controls around eBook and eAudiobook provider Libby and the Library’s other online services that the public uses.

The Library pays close attention to protecting what limited information it does have on Library Card accounts or any data that is transmitted or stored. “Preserving patron privacy is of the utmost concern,” Siceloff emphasized. “Patron trust is one of our top priorities.”

The job is never finished, but it’s rewarding because the organization realizes it’s so important, Siceloff said. “You have to have the flexibility to learn the new techniques and adapt to them,” he said. “What is vitally important for somebody in my role is management support and cooperation. And I get that here.”