Director Briefing - March 20, 2023

Compromised Email from CANS

Earlier today, a member library email account was compromised, and sent tens of thousands of SPAM messages. Because of this, the "@owwl.org" email address has been temporarily blocked by several lists. This means there may be some difficulty sending and receiving email from certain providers. This will clear automatically, but we have also submitted requests to these lists explaining the situation and asking to be removed.

While this instance was probably a result of one of those convincing SPAM messages, it is a good time to remind everyone that strong passwords should be put in place for all accounts. Here is some advice from the System's Access Policy:

Randomly generated

• At least 12 characters long;
• Unique; and
• Should contain some level of complexity.

Examples of adequate passwords include:

• A “diceware” password (a string of randomly generated dictionary words)
• If using a “diceware” password, the password shall consist of a minimum of five randomly generated words.
• A password that is at least 12 random characters long.

Passwords shall not:

• Consist of previously used passwords; or
• Consist of passwords used for personal accounts.

Passwords used to access the System Information Systems shall not be transmitted in plain text (such as by email).

• An exception can be made for passwords transmitted for one-time use, i.e. passwords used for an initial login that the recipient should then change after they are able to access the system.

The library's name or a form of the library's name should never be used in a password. For example, we would never use the password, "OWWLLibrarySystem2018." Even though it is more than 12 characters, it is a poor password and susceptible to a hack.

I like to use a password manager to keep track of the various passwords we use for accounts. My preferred choice is Bitwarden, but plenty of options exist. Kelsy put together a Docs page on this topic, Password Managers & Password Security .

Password Tips Rerun from OWWL Post February 12, 2021

The easiest way to protect yourself, your library, and all of us from cyber threats is by having a strong password. This not only applies to email accounts but to all of your accounts. The longer and more complex your password, the more difficult it is to crack. Shorter and simpler passwords take less time and resources for hackers to compromise.

Traits of a Bad Password:

Hackers have created databases of the most common words, phrases, and number combinations that they can run your password through to find a match. The following are some common password themes that you should avoid:

• Birthdays
• Names
• Phone numbers
• Sports teams
• Library information such as address
• Simple obfuscation of a common word (“P@$$w0rd”).

What Makes a Good Password:

Your password should be at least 8 characters long and should contain at least one capital letter, one number, and one special character (“@”, or “%”, etc.). As an added layer of security, change your passwords on a regular basis to ensure that you stay ahead of the hackers.

Remember, the best passwords contain as much randomness as possible; using unlikely combinations and random characters is a great strategy. Be creative!

You should not use the same password for multiple accounts (work and personal accounts included) no matter how strong it is. If one account gets compromised, then they’re all compromised.

Thank you again for helping to keep our network safe.

New Phishing Attempt from CANS

The message below is a phishing attempt. If you receive a copy, please delete it immediately. It is an attempt to steal your password.

If you have concerns about account security, email support@owwl.org.

Tummonds Fund Contributions to OWWL2Go

Like last year, if Ontario, Wayne, and Livingston County Libraries would like to contribute their Tummonds Fund money to OverDrive, you are welcome to do so. Please fill out the OverDrive Tummonds Fund Commitment Form 2023 and return it to Kelly.

2023 NYLA Scholarships from Suzanne

There are several scholarship opportunities for the New York Library Association Annual Conference & Trade Show November 1-4, 2023 in Saratoga Springs, NY.

• OWWL Library System will award three Continuing Education Scholarships up to $800 each to first-time attendees who have demonstrated a commitment to professional development and supporting their library community. Click here to learn more. The deadline to apply is Friday, March 31.
• NYLA's Library & Leadership Management Section (LAMS) will award three scholarships of $800 each to first-time attendees (one to a Library Administrator; one to a Library Assistants/support staff; and one to a new Director, appointed in the past three years, attending conference for the first time as a Director). Click here to learn more. The deadline to apply is Saturday, July 15.

OWWL Library System Open House

We hope you will join us for OWWL Library System's Open House on April 19, 2023 at 1 PM. We will be joined by special guest Lisa Kropp, President-elect of NYLA.

Please click here to RSVP .

OWWL Library System Annual Report to the Community

Suzanne put together a 2022 OWWL Library System Annual Report for you to take a look at. We accomplished a lot at the System over the past twelve months.

Click here for the full OWWL Library System Annual Report to the Community .

Question of the Week: Friends and Money

Question: Can the library collect money for the Friends?

Answer: It's not a good idea. The library should not handle another entity's money, affairs, or transactions, even the Friends.

Suppose the limited capacity of the Friends means the library must help with cash handling (facilitating sales, accepting donations, and forwarding the money to the Friends). In that case, both organizations should have a policy addressing this approach.

I reached out to our attorney on this one and she put together the start of a sample policy:

Fiscal Controls When Collaborating with Another Entity

To reduce costs and avoid risk, whenever possible, the Library will not serve as the agent for collecting donations or revenue for another entity it is jointly providing programming with.

However, from time to time, the Library may jointly help present an event that requires the coordinated payment, acceptance, and transfer of money or in-kind donations between the Library and the collaborating party. When that is the case, to ensure adherence to all relevant laws, regulations, and policies, every such event shall be governed by written, signed terms for the handling of such moneys. Such written, singed terms shall be tailored to the specific circumstances of the event and shall set out the manner in which the parties will abide by all relevant policies, including but not limited to:

• Conflict of Interest
• Fiscal Controls (including those governing cash handling, acceptance of payment, payments, approved credit card use, acceptance of credit cards/PCI compliance, deposit, remission of funds)
• Bar on political activity
• Relevant tax considerations

The written agreement shall be reviewed and approved by the Treasurer before being signed by the Director, no less than two weeks before the event.

For entities that frequently collaborate with the Library (local charities, Friends, etc) a standing agreement reviewed once per year by the respective organizations may be used, so long as it contemplates all forms of accepting and remitting money, and confirms the process for the sharing or remission of same.

Our attorney was so interested in this question that she said she would work on a follow-up for the WNYLRC Ask a Lawyer resource. I'll share that when it is posted.