October is a Cybersecurity Awareness month, so we want to use this opportunity to remind everyone that Cybersecurity is a shared responsibility. Below are some of the things we do to help minimize the risk of cyber attacks on Springshare's infrastructure and software. You'll also find recommendations that you - our customers - should do to help minimize the risk. Institutions, companies, universities, schools, libraries... everyone is at risk these days for ransomware attacks, phishing schemes, or data leakage incidents. Let's work together to ensure security for you and all other systems on our servers!
Things We Do at Springshare
At Springy HQ, we follow industry best practices regarding the safety and security of our infrastructure.
- Vulnerability & Penetration Tests - We conduct quarterly vulnerability tests and an annual penetration test for all Springshare applications.
- Vendor-Provided Patches - We ensure our systems are up-to-date by applying vendor-provided patches and updates as soon as they're available.
- Data Encryption - We ensure that all data in transit - flowing to our servers (e.g., every time you hit save in a LibGuide) and from our servers (e.g., every time you run a report in LibInsight) - is encrypted. Data are also encrypted at rest when stored on our end.
- Provide Free LetsEncrypt Security Certificates - All browsers require HTTPS, which means security certificates are also required. If you are using a custom domain for your LibGuides, LibAnswers, and/or LibCal system, you can use our free LetsEncrypt integration to get a security certificate that we automatically maintain, rather than purchasing / uploading / renewing your own. (A custom domain is one that uses something other than libguides.com, libanswers.com, or libcal.com.)
- SOC2 Type II Compliance - We recently completed a Systems and Organization Controls (SOC) 2 Type II audit which is an independent assessment of our internal security controls and we're proud to say we're compliant!
Now that we've recapped the things we do here, let's talk about some of the steps you need to take to ensure security and safety of your systems.
Things YOU Should Do
While we're doing our part to ensure that our servers aren't vulnerable to hackers, there are things you should do on your end. All it takes is one bad actor to create potentially big problems, so let's work together to mitigate this risk.
- Multiple Administrators / Succession Planning - It is important that you have multiple admin-level users in each of your LibApps tools. At least 2-3 times a week, we get emails from Springy users whose system administrator has left and they're locked out from all admin-level features... including creating accounts! It's so important to prepare your systems for succession-planning, we even have a training session about it!
- Create & Use Strong Passwords - Test1234 is not a good password! It is vitally important that everyone with accounts in your Springshare Tools have a strong password including characters, numbers, and capitalized letters. These passwords should be unique and not shared across multiple tools. Your email password should not be the same as your LibGuides password, for example. And never ever ever share them! Additionally, consider using a password manager. There are plenty of options from subscription-based, free, or even in-browser.
- Periodic Review of Accounts - It is important to do a periodic review of who has access to your systems and at what level. Someone you made an admin 3 years ago to test some customizations might not need admin-level access anymore. A review should be done quarterly or semi-annually.
- Removing Accounts / Making Accounts Inactive - Make it part of your internal protocols to ensure employees who are leaving your organization no longer have access to your LibApps tools. This includes deleting accounts entirely or making accounts inactive. This list of FAQs shows how to manage accounts across all Springshare tools.
- Use OAuth2 - For syncing your calendars in LibCal or LibStaffer or for sending emails in LibAnswers, use OAuth2 instead of credentials. This gives you and your IT department more fine-grained control over access.
- Is Everyone HTTPS? - All Springshare tools are run through HTTPS, which means that all your vendor apps embedded into Springshare tools should also be HTTPS... including all widgets, RSS feeds, CSS files, and more.
Understanding Phishing Emails
Sometimes we get emails from you wondering if an email you received from us is actually from us. We totally get it! Phishing emails are now so common and it is great that you are confirming suspicious emails before following through.
To that end, here are a couple of things to know:
- SpringyNews / Support / Training / Lounge Emails - All SpringyNews emails, or replies from the support team if you submitted a ticket, or our monthly Training newsletters all come from an @springshare.com email domain.
- Emails from Springys Directly - If you ever receive an email from a Springshare person directly, it will be from an @springshare.com email domain. If someone is claiming to be our Chief Springy Slaven Zivkovic and they email you from a gmail address - it's most assuredly NOT him.
- Operational Emails - From time to time, we send you emails about important changes or updates to your Springshare tools. These vitally important emails are not opt-in, so you can not unsubscribe. These emails will come from do-not-reply@libapps.com, which you should add to your contact list to ensure delivery.
Security of your tools is vitally important and we take it very seriously here at SpringyHQ - so seriously we dedicated an entire blog post to it! We hope you'll agree: security is a shared responsibility. Your Springshare tools are only as strong as your weakest password.