Supercool Sessions #17 – Cybersecurity Basics for Cultural Organisations

Cultural organisations are increasingly reliant on digital technology. It’s great to be able to quickly and easily promote your events and exhibitions, sell tickets, ask for donations, share stories, and collect data online.

But all of that comes with risks. Not least the risks around digital security. 

In this Supercool Sessions webinar, Managing Director James Coleman covers why cultural organisations are an attractive target, the most common ways organisations get caught out, and some practical basic actions you can take to help protect yourself, and lessen your exposure.

Short on time? 

Here's a handy recap of James' main points and takeaways:

• Why cultural organisations are an attractive target
• The most common ways organisations get caught out
• Actions you can take

Why cultural organisations are an attractive target

Any organisation – or individual – that’s online has the potential to fall victim to a cybersecurity attack. Particularly those cast-the-net-wide, scattergun, opportunistic type of attacks.

But cultural organisations may be singled out for more targeted attacks because you have:

• Ticketing data
• Donor records
• Payment flows
• Mailing lists
• Participant records
• Your reputation

Although highly targeted attacks are less common, they tend to be more sophisticated, and able to search for any weaknesses in your digital security setup. (Rather than relying on someone clicking a link they shouldn’t.)

The most common ways organisations get caught out

Phishing

Unfortunately, phishing has come a long way since the early days of poorly spelt, grammatically dubious requests for money from foreign Princes, or congratulations that you’ve won the Canadian lottery – to collect your winnings simply supply all your bank details and a photocopy of your passport.

AI is undoubtedly helping make phishing emails, texts, and calls appear more like bona fide comms from a business you might well have an account with, or have bought something from in the past.

How many times have you been rushing through your emails, and nearly clicked a dodgy link because it looked like it was from a trusted source? It’s getting more and more likely that people will fall victim at some point, by clicking a link they shouldn’t. 

So, as well as trying to recognise and avoid clicking on any phishing links, the other goal is to limit the damage that happens when someone does.

Weak or reused passwords

Do you use the same password everywhere? Haven’t changed it in years?

When you use the same password across multiple websites, if any one of those sites gets breached, attackers now know your password. And they will very quickly be able to try to login with your email address and password to hundreds of other services. This is called ‘credential stuffing’ – it’s automated, it's fast, and it can be left running constantly.

Do you share passwords across your organisation, so need to make them easy to remember? e.g. OrganisationName2026!

Even with that exclamation point, this is not a strong password!

The easier your password is for you to remember, the easier it is for attackers to work out. Attackers understand how humans create ‘memorable’ passwords. And the more people who have access to that password, the more likely it is to be compromised – see 'Over-shared access'.

Unpatched software

Every piece of software you use is likely to experience security flaws – certainly over time.

Your operating system (Windows, macOS), your browser (Chrome, Safari, Edge), your email client (Outlook, Mail). The apps on your phone. The plugins in your browser.

When a flaw is found, the vendor will release a patch to secure the vulnerability as soon as possible. But if you don't apply it, you're leaving that known vulnerability wide open.

And attackers absolutely scan for that – often within hours of a patch being announced – because they know plenty of people won't have updated yet.

So, make sure you’re always on the latest version of any piece of software. The good news here is that most updates can be configured to happen automatically. 

(Updating also applies to your website – your CMS, your ticketing system, your CRM – but it'll usually be the job of your supplier or agency to keep on top of those.)

Over-shared access

Every active account on every piece of software is a potential way in to your network and systems.

The marketing intern from three summers ago who still has admin access to the CMS. The freelance designer who's been added to the Mailchimp account. The former trustee whose Dropbox login still works. The shared password that everyone knows for the ticketing system.

Every shared credential multiplies your exposure to attack.

The AI factor

There are a couple of potential risks with AI in terms of digital security.

1) What information are you putting into AI tools?

If you’re inputting any sensitive data, donor/staff information into, say, Chat GPT, depending on your setup this could result in chatbot data leakage. Do you understand how the tool uses the information you’re feeding it? And who might be able to gain access to that information / where it may be used? If you're in any doubt – don't put any sensitive data into an AI tool.

2) What does AI do on your behalf?

Do you understand where AI is doing tasks for you? Things like clicking links, or auto-sending emails? If AI tools can do those things to speed-up your day-to-day tasks, that does come with the risk of ‘prompt injections’ which are malicious, potentially hidden prompts, sent from external sources.

Actions you can take

That all sounds pretty concerning. And it is – the consequences of an attack could be very costly in terms of your organisation's finances, time, and reputation.

The good news is that there are plenty of things you can do to mitigate your risks. And to make it easier to deal with the results of an attack, if or when one occurs.

Fixes for nearly all of the above are well-understood, well-documented, and mostly either free or low cost. Even if you’re not able to action the following yourself – perhaps you have an IT person or department – being aware of, and being an advocate for, digital security measures is a good use of your newfound knowledge!

1) Multi-Factor Authentication – everywhere*

*Well, everywhere you’re able to have it.

Multi-factor authentication (MFA) – or two-factor authentication (2FA) – is the single most effective thing you can do. It means that even if someone gets your password, they still can't log in, because they also need a code from your phone, or an authenticator app, or a hardware key.

Turn it on for as many of your digital services as you can.

And if you use a service that doesn’t (yet) offer MFA, ask if and when it’s getting added – advocate for it. (Pester power works!)

Use an authenticator app – Microsoft Authenticator, Google Authenticator, Authy – rather than SMS if you can. Whilst SMS is better than nothing, it can be more easily intercepted. (Though it's trickier to use efficiently across an organisation anyway.)

2) Use a password manager

Stop trying to remember passwords. Stop using the same one twice. Get a password manager!

1Password, Bitwarden, Dashlane – there are several good ones. They generate strong, unique passwords for every site, store them securely, and fill them in for you. You only have to remember one master password.

Many of them have team or business plans, which means you can share access to shared accounts without anyone actually knowing the password. When someone leaves, you can easily and quickly revoke access. Done.

This change probably eliminates more risk than anything else, after MFA.

3) Keep software updated

Turn on auto-updates for your operating system, your browser, your phone. Don't sit on those 'Update available' notifications for weeks. The 'Remind me tomorrow' button is, genuinely, a security risk. And the same applies to your software. Outlook, Teams, Slack, Zoom – whatever you live in day-to-day. Keep them current.

This also applies to your website, your CMS, your ticketing system, your CRM. Ask your partners “What’s the patching schedule?” “How quickly do you apply security updates?” “Is anything running on outdated software?”

For CMSes like Craft, WordPress or Drupal, ask when it was last updated, and when the next major version upgrade is planned.

4) Keep your permissions tidy

This is likely to be a few hours of work – but time well-spent!

List the various online tools and systems you use everyday. And list who has access to each one. Then go through and remove any accounts that no longer need access –former staff, freelancers, agencies you no longer work with, former Board Members …

Then, lock things down even further, using the ‘principle of least privilege’. Essentially, this means only granting access to those who absolutely need it, in order for each tool to do its job.

Does your Marketing Assistant need admin access to your entire CMS, or just the ability to add, edit, and publish blog posts? Does the Box Office team need access to your entire CRM or just the ticketing module?

When doing this task, it’s wise to explain it to your team and anyone else it impacts – to make sure they understand it’s not about a lack of trust in them. It’s about keeping digital systems as locked down as possible, as a security measure.

5) Have a plan

There’s been a breach! Now what?

Having a plan in case of a digital security breach will help you in numerous ways, if or when the worst happens. But it’s something many organisations overlook. 

Making sure you and your team know what to do means you’ll be able to act quickly. And potentially limit or reduce the impact of an attack.

Even a very basic plan is better than nothing. These are the kinds of things to think about, and work out:

• Who do we need to notify first if we think we've been breached?
• Who needs to know next? Trustees, ICO if personal data is involved, your bank if payments are affected?
• How will we communicate with customers if our systems are down?
• Do we need to revoke access to any systems?
• Where are our backups, and how recent are they?

6) Training

If you're using AI in your organisation, make sure everyone using it has had some basic training covering its potential security vulnerabilities. And, I repeat, If you're in any doubt – don't put any sensitive data into an AI tool.

Whether you share the basic points above with your team, or undertake an organisation-wide accreditation such as Cyber Essentials, the more people who are aware of security pitfalls and vulnerabilities – and what to do when you spot them – the better. 

Hope that was useful, and stay safe.

👉 To get invites to future Supercool Sessions – and our "brilliant, informative, and entertaining" monthly newsletter – join the Supercool Mailing List