Editor’s Note: Today’s post is by Susie Winter. Susie co-chairs the Scholarly Networks Security Initiative Communications Working Group and is VP, External Communications at Springer Nature.
It will come as no surprise to those who work in higher education, or follow developments in the sector, that cyber-attacks are on the increase. The National Cyber Security Centre (NCSC) in the UK reports that, since late February 2021, ransomware attacks on the UK’s education establishments, including schools, colleges, and universities, have increased. With library networks often on the front line, how aware are librarians of the threat posed by cybercrime and, crucially, do they know what steps to take if their network has been compromised?
Awareness of cybercrime
Recent research from Shift Learning following a survey of over 250 librarians, commissioned by The Scholarly Networks Security Initiative (SNSI), shows that, even given the increased threat identified by the likes of NCSC, levels of understanding are worryingly mixed. While most librarians have some understanding of cybercrime and data security issues, the level of understanding varied depending on the size of their employing institution. For example, those working in large higher education institutions were more likely to describe their level of understanding as ‘expert’ across a range of threats such as phishing, viruses, data theft, and theft of log in details, than those working at a small or medium institution. However, across the board, there was still strong understanding that these activities posed a network security risk with the impact on the security of staff and student data, and the reputational damage that a cyber-attack could inflict, concerning librarians the most.
Help and support
In contrast, there was almost unanimity amongst librarians as to who they would go to if they suspected their institution’s network had been compromised. 96% would contact their IT department and 85% would report it to their security department. Reassuringly, 85% would also tell other librarians, and 67% would take direct action to restore the integrity of the network. However, the research did uncover a level of hesitancy amongst librarians to discuss with students how to prevent future network breaches, with only 43% saying this would be something they would do or something they would add to a security log for future reference and picture building (25%).
Why this matters
While 65% of librarians said that the theft of personal data was a concern, and 56% were concerned about the theft of university log in details and credentials, many librarians’ knowledge of illegal websites which deploy such practices to gain access to content, such as Sci-Hub, was more limited. Less than half (43%) worry sites like this may have access to their institution’s network and 23% of respondents were unsure if students using these sites would put their institution network at risk.
In addition, the research also revealed that whilst 64% disagreed with the view that it’s fine for librarians to recommend using these illegal sites, and 45% agreed that using these sites is wrong, 47% agreed that these sites are useful for learners.
The research also revealed some confusion amongst respondents as to what is an illegal site. 62% were familiar to some degree with illegal websites, with 63% naming Sci-Hub as an example. However, 21% were unsure and other answers to the question whether they could name an example included legal sites and services such as Google Scholar, Research for Life, ResearchGate, and Academia.edu. It also means that, when asked directly, whilst 84% of respondents had heard of Sci-Hub but only 62% had heard of illegal sites that offer scholarly resources, 22% have heard of Sci-Hub but don’t connect it with being illegal.
What this means
For many librarians, illegal sites like Sci-Hub are clearly a paradox; they agree that it shouldn’t be used and wouldn’t actively recommend it, but they tend to agree with some of the principles it promotes, such as free access to research content. The result of this is that they may be inclined to overlook its use and unwittingly expose their institutions to cyber-attack, potentially compromising researchers, faculty, and student personal data.
This gap in understanding is in stark contrast to warnings from the likes of the City of London Police in the UK. Its Police Intellectual Property Crime Unit (PIPCU) has publicly warned against the use of sites such as Sci-Hub primarily because of how they operate — by using, amongst other means, phishing emails to trick university staff and students into divulging their login credentials. These are then used to compromise the university’s network. PIPCU reports that many universities around the world have suffered intrusions as a result of access credentials being stolen when visiting the Sci-Hub website.
What, therefore, are the key takeaways from this research?
- Respondents had limited confidence around cybersecurity. The open responses in particular revealed a lack of knowledge of how cybercrime works, what to look out for and how to prevent it.
- They were mostly concerned with data protection and ensuring their colleagues, students, and institutions were safe with the theft of student or staff data being a top concern.
- Librarians’ first port of call if there was a security breach was their IT department, but findings did indicate that librarians see cybersecurity as somewhat outside their realm of responsibility and that they would be unlikely to speak to students about network security
- Sci-Hub was considered a paradox. While librarians felt that recommending the use of websites like Sci-Hub was wrong, they were also sympathetic to its use. There was also some familiarity with the name Sci-Hub, however most lacked a comprehensive understanding of what it is, how it works, and the associated security risks such as access to personal data, with some unsure if it is illegal
With pressures on their time, an ever-changing research ecosystem to understand, and having to manage through a global pandemic, it’s perhaps no surprise librarians are not fully aware of the cyber-security threats sites like Sci-Hub pose. This makes the help organizations such as SNSI can provide that more important. By providing security checklists, training, information on risks, and opportunities for collaboration, librarians can increase their awareness of cyber security issues, the ‘flags’ to look out for, and build their knowledge in the actions they can take to protect their data and their network.
*This research was conducted prior to Russia’s invasion of Ukraine. Since then, Jisc has warned UK Universities to brace themselves for Russian cyberattacks.