Someone hacking into a social media platform or a major financial institution is always big news when it happens, but the fine arts world is not immune to this threat. Art galleries, museums and nonprofits need to protect themselves with tech support and training among their staff, to insulate their computer infrastructure and be ready to respond when a hacking occurs.
The damage could be substantial. Someone hacking into your computer systems could result in bank accounts being drained, customer and donor lists exposed, computers going dark and ransom demands being made. Cybercrime not only brings a loss from the hacking itself, it can also result in a damaged reputation, a loss of donors and clients, regulatory fines and lawsuits.
How it’s done
Both the Society of London Art Dealers and the Art Dealers Association of America have warned their members about the dangers of email fraud since an October 2017 cyberattack involving nine art galleries in which staff was manipulated using “social engineering” to redirect payments into an account owned by hackers. In this “man in the middle” scam, after legitimate emails were sent by staff members, hackers sent follow-up emails instructing the recipient to ignore the previous message, The Art Newspaper reported. In one case, the director of a London gallery’s email was hacked while she was on vacation, and the hackers used the director’s email to direct her assistant make a fraudulent wire transfer. Hackers often impersonate staff and customers, making it hard for a scam to be discovered.
There are many ways that hackers can break into a computer system:
- An employee might inadvertently open an email that contains a virus, or a link to a malicious website.
- A gallery or one of its staff might use a password that’s easy for hackers to break (“password” and “12345” are just two obvious examples).
- An infected thumb drive might be sent to the gallery or left somewhere for an employee to discover. If an employee plugs the drive into a computer, the entire network could become infected and vulnerable to attack.
Make sure you’re protected
Evaluate your organization’s cyber risk posture with an analysis that includes cybersecurity readiness, regulatory and business compliance and an Incident Response Plan that can be implemented in the event of a breach.
Employees should be educated and trained to report any suspicious activity or potential breaches.
Consult with qualified breach response providers and have one of them ready to be engaged if such a breach should occur. This includes attorneys, forensic accounting, public relations, credit monitoring and notification firms.
Implement the right protocols
- Encrypt invoices and confirm bank details over the phone with clients, artists and providers before transferring money.
- Create a culture of cybersecurity awareness, with training and targeted employee phishing exercises.
- Maintain strong network passwords, require employees to change them frequently (every 30-90 days) and change the factory default passwords on all equipment.
- Implement secure remote data transmission methods such as utilizing VPN technology
Protect your data
- Segment your computer networks and apply appropriate access controls.
- Maintain computer software with necessary patches and updates.
- Apply computer firewalls, to help insulate your network.
- Develop and enforce mobile device policies (including encryption, when applicable).
You might consider purchasing a cyber Insurance policy that would provide both first- and third-party protection in the event of a cyberattack. Such insurance covers the costs of retaining breach response vendors, costs for defending and settling lawsuits filed by affected third parties and other costs associated with a cyberattack.
Learn more about cyber insurance for the fine arts world.
Some terms to know:
- Hacking – Use of the Internet to gain unauthorized access to a computer system
- Malware – Malicious software used to disrupt computer operations, hijack them or access data
- Social engineering – Manipulating staff into divulging confidential information
- Human element – Errors and mistakes, whether inadvertent or malicious
- Phishing -- The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers