Open Forum

 View Only
  • 1.  Staff Listing on Museum Website - Security Risk

    Posted 02-15-2019 05:49 PM
    I would like COO's, CTO's, and anyone else who may have something to contribute, please chime in.

    Do you feel that having your staff listing on your website represents a security risk to your organization?  For further detail, let's just assume it is a listing of names and roles categorized by department.  There are no email addresses or phone numbers listed.  Does a basic listing represent a security risk in your opinion?

    Thank you.

    Richard Bradway
    Stockbridge MA

  • 2.  RE: Staff Listing on Museum Website - Security Risk

    Posted 02-18-2019 10:21 AM
    Edited by Elizabeth Wallace 02-18-2019 10:20 AM
    Our museum is a part of the University of Iowa, which has a public directory for all staff/faculty. Our museum website lists our staff and their professional contact information, with photographs. We do not consider this a security risk, and embrace it as part of our mandate to be transparent and accessible to the public.

    Elizabeth Wallace
    Mgr. Communication, Marketing & Membership
    University of Iowa Stanley Museum of Art
    Iowa City IA

  • 3.  RE: Staff Listing on Museum Website - Security Risk

    Posted 02-19-2019 03:30 PM
    First, in the handful of decades that I have worked in museums, there have always been various means of access to names and job titles of museum staff people. The printed volume of AAM's directory of museums was a valuable tool in the days before easy Web access to practically every kind of information. Second, in various other documents, such as annual reports, board members and at least senior staff are often identified as a matter of course. In addition, many museums give credit to various personnel in exhibit panels, press releases, institutional publications, and program publicity. Thus personnel identities, at the very least, have traditionally been publicly available, and -- though I may be missing something -- I am not aware of serious incidents resulting from that.

    I agree with Elizabeth that, as cultural, education organizations, museums are usually quite open about how and by whom they are are operated. In my various museum roles, I have had my share of unusual encounters with community folks, but I do not think those sorts of things can be avoided without rather extreme measures of isolation, and I would not consider them to be security problems.

    Bruce MacLeish
    Curator Emeritus, Newport Restoration Foundation
    Cooperstown NY

  • 4.  RE: Staff Listing on Museum Website - Security Risk

    Posted 02-20-2019 08:28 AM
    What kind of security risks are you imaging? 

    In my roles I've often advocated for more transparency about how to contact museum staff. This has usually met resistance from individuals who don't want to field requests from the public.  In those cases, I've generated role-specific aliases (e.g. that could be associated with one or more people. 

    Most Universities (mentioned by another poster) also have processes for exempting publication of emails, etc. e.g.. for victims of domestic abuse, etc.  This is where role-specific aliases can also come in handy. 

    IMHO, the biggest risk is information security and malicious bots scraping your published addresses to generate spear phishing emails, but simply removing them from your website won't necessarily prevent that (there are other ways of getting those addresses).  We are fortunate to have training programs here around information security, recognizing malicious emails, and monitors to catch most of it.  That's a luxury that many smaller organizations won't have, but you can certainly work to educate staff about the dangers. 

    This is where I love what TechSoup has to offer non-profits. See their recent Cybersecurity series of blog posts and classes:
    Get Ready for Cybersecurity Awareness Month at TechSoup
    Techsoup remove preview
    Get Ready for Cybersecurity Awareness Month at TechSoup
    As cybersecurity threats increase across the world, nonprofits are not immune to the danger posed by bad actors looking to gain access to sensitive information. In fact, a recent report found that data breaches among charities in the UK have nearly doubled since GDPR has gone into effect.
    View this on Techsoup >

    Richard Urban, PhD
    Digital Asset Manager & Strategist
    Corning Museum of Glass
    Corning NY

  • 5.  RE: Staff Listing on Museum Website - Security Risk

    Posted 02-20-2019 08:59 AM
    Personally I always appreciate an online directory for staff. It helps me do my job. 

    That said - I think individual staff should be able to opt out of this. People may have lots of reasons why they don't want their full names, headshots, etc. on their workplace's website. Stalkers or estranged family members were the first things that came to mind, which sound extreme but can be a serious risk.

    Lisa Coleman
    Traveling Exhibits Coordinator
    The Children's Museum of Indianapolis
    Indianapolis IN

  • 6.  RE: Staff Listing on Museum Website - Security Risk

    Posted 02-21-2019 06:13 AM
    Those of us in Human Resources have experienced instances in which staff are being stalked by ex's even with restraining orders. I as one case in which the stalker knew the victim worked for a museum but did not know which one until he located her name on the staff list.
    We can't protect against everything, but should provide staff the opportunity to opt out.

    Roslyn Schaffer, SHRM-SCP, SPHR
    Chief Human Resources Officer
    Philadelphia, PA

  • 7.  RE: Staff Listing on Museum Website - Security Risk

    Posted 02-21-2019 09:33 AM
    I second Lisa's statement. There is very little institutional risk in having a staff directory, but there may well be a pretty high personal risk for some people. I would make the directory optional, and make sure that every staff member is aware of its existence so that those with reason to opt out are given the chance to before they are put at risk.

    I would be hesitant to put staff photos on the web site unless you have a pretty compelling need for them, and again allow people to opt out of just the photo if they choose. It wouldn't take much for a determined individual to match a face to a name and then begin stalking/harassment from there. It may sound paranoid, but I've seen female coworkers at other jobs targeted for harassment by strangers for really trivial reasons.

    Matt Popke
    Denver Art Museum
    Denver CO

  • 8.  RE: Staff Listing on Museum Website - Security Risk

    Posted 02-21-2019 10:21 AM
    Museums should be open and transparent for historians, students, art lovers and the plethora of types of museums in our country.
    There's more information on a LinkedIn page and Facebook page than a 60 word bio with photo. I believe that those that have chosen this profession deserve credit with well written bios and flattering photos. 
    There should be absolutely no fear in presenting the truth and honesty of a directory of dedicated professionals.

    William Tyler
    Collections Exhibit Designer (Retired)
    Nashville TN