Your museum has embraced the digital world. Digitized collections, an asset management system, ticketing, customer relations system, volunteer and event management, and other solutions to the myriad of business requirements needed to run a museum. Congratulations! Now, how will you sustain this work in the long term? Digital assets are inherently unstable, requiring time and attention to remain readable and usable. “Free” platforms and tools can change overnight in ways that harm museum users. Maintaining and upgrading digital systems is expensive, and while grant funding might pay for the purchase of an application, support for ongoing operational expenses is hard to come by.

Join CFM director Elizabeth Merritt and Nik Honeysett, Director and CEO of the Balboa Park Online Collaborative, to explore how museums can plan and budget for digital sustainability, and ward off Vint Cerf’s prophesied “digital dark age.”

After the chat between Elizabeth and Nik, participants will join breakout groups to discuss the implications for museums and share information and reflections, then come back together with everyone to share their thoughts and ideas.

Transcript

Elizabeth Merritt:

Hello, and welcome to Future Chat. I’m Elizabeth Merritt, Vice President of Strategic Foresight and Founding Director of the Center for the Future of Museums here at the American Alliance of Museums. And I’m so happy to have you join me for the first Future Chat of 2025.

We launched this series last year as an opportunity for me to teach a little bit of foresight. And share a piece of news from my scanning. And model how you can talk about it as a way of exploring implications when you see something in the news. This is also a chance for you to network with your peers something that people tell AAM they want more of. That networking will take place in breakout rooms later in the chat and also via the chat feature on Airmeet, which I encourage you to use throughout. I see many of you already dropping your names and locations and museums in. That’s great.

So, if you’re so inclined, go ahead and use chat now to introduce yourself and where you’re from. Now a few notes on the culture of Future Chat before we dive in. Notably, confidentiality. What’s said in Future Chat stays in Future Chat.

While we’re recording the introductory conversation with our guest, and that will be on our website later, please respect that what’s said in the breakout rooms is not recorded and stays in the breakout rooms. So please don’t repeat what anyone else has said in the breakout rooms or in chat as especially not with attribution.

Here’s how this will work today. I’m going to introduce a piece of news from my scanning, and then I will introduce a special guest who will help me explore some of the implications of that story. We’ll send you out into breakout rooms with suggestions for guiding your conversation. And then bring you back together at the end of the hour to share some insights.

Please make copious use of the chats throughout, and we’ll do our best to watch and respond. And we’ll also be sharing links and resources throughout in the chat. So, keep your eye on chat for some links you might want to follow. Okay.

Our topic for today is digital risk, Now this is an issue that I featured in the current TrendsWatch report in an article titled Stop, Look, Think: How to Manage Digital Vulnerabilities. If you’re a member of AAM, you received a copy of TrendsWatch, as the January/February issue of Museum Magazine. Looks like this. And a copy of the digital article on digital risk is available on the AAM website outside the member wall.

We’re sharing a link to that article in chat. Also, the full report will be available as a free PDF download to everybody later this spring, so keep an eye open for that.

Before we start, though, I’d like to establish a baseline for this chat about your experiences with digital vulnerabilities. So, my stage manager, Ariel Waldman, is going to be pushing a poll to the audience. I’d like you to answer the poll. And what it is going to be asking you, it’s going to take a minute to come up on screen, is about your experiences and asking you to answer the following question: Which of the following is true for your organization?

Have you lost data?

Have you ever been the victim of a ransomware attack?

Have you had a digital outage?

Have you lost critical data or access to platforms when staff left and took their passwords with them? Do you have a digital recovery plan?

Or you’re going to be free to answer don’t know, not sure, none of the above. So, give us a minute to get that pulled up on screen.

Now you might have to mouse over the poll and scroll down to see all of the options. And we’re going to be pushing the answers to the screen as they roll in. The reason that we chose these options is, if you have read the article in TrendsWatch, you’ll see there are a lot of reasons that people lose data.

Sometimes the data is accidentally wiped out when a server goes bad. Sometimes it’s on the cloud, and the service that was maintaining it goes out of business. Ransomware is increasing. When we did a snapshot of American museums last year, 13% of museums said they’d been the victim of a ransomware attack.

Digital outages increasingly common, especially with our fragile national infrastructure. Sometimes there can be a power outage. Sometimes connectivity can be lost. I’ve heard too many unfortunate examples of people saying, well, you know, the person who managed this account for our museum left, and we don’t know how to log on to the account anymore because we don’t have a central record.

And we, of course, are very interested in digital recovery plans because we want to be able to share good examples with the field. So, let’s see.

Ariel, can you be, ah oh, yes. Thank you. I am seeing the results. So, what I am seeing is that, nearly 20% of you have lost data. My sympathies.

6.5% have been the victim of a ransomware attack.

I’m sorry it’s that high, but still, at least it’s not as high as 13% on our national poll. 17% have had a dig- digital outage. Nearly a quarter have lost critical data or access platforms when staff left. Ahh, I would tear my hair out.

And 16% of you have a digital recovery plan. Yay, let’s make a commitment trying to get that number up in the coming year.

Well, thank you.

That helps me understand what some of you in the audience are dealing with. And, Ariel, we can take that off stage now. So, here’s the story from my scanning that I chose as a jumping off point for today’s chat.

It’s a story from the Ithaca Voice, which appeared in January titled “Museum of the Earth Faces Extinction Under an Imminent Threat of Foreclosure”. For context, the Museum of Earth, which is located in Ithaca, New York, is the public face of the Paleontology- Paleontological Research Institute, which is a 501c3 nonprofit dedicated to interpreting the history and systems of the Earth and its life to increase knowledge, educate society, and encourage wise stewardship of the Earth.

Awesome mission statement. The museum’s collections encompass more than 7,000,000 specimens, which makes it one of the largest paleo collections in the US. It’s a really great museum. The story summarizes the really unfortunate financial crisis which is facing the museum and then notes that during the pandemic, half of PRI staff focused on creating free online content for the remainder of the pandemic.

And now PRI’s online presence is extensive with its website clocking 1.2 million visitors annually. It notes that last year, the site was accessed from every country in the world, except North Korea. Teachers and professors from all over the world utilize PRI’s robust materials and digitized collections in their work and research. In the event leadership at PRI choose to close the museum, the article ends by saying, its expansive collection would need to be rehomed.

We’re dropping a link to the whole story in chat. Okay.

We’re also dropping a link in chat to the museum’s donation page if you’d like to help sustain through this financial crunch. I will make a donation. Now it would be a tragedy if this wonderful institution does indeed close. And if it does, it will create an all-too-common situation throughout the history of natural history museums, which is orphaned collections.

Natural history collections often have very large collections of items that have limited monetary value and enormous scientific value, which should stay in the public domain. But who’s going to adopt them?

But I chose this story to spark our discussion today because of a related question. Which is what about the digital assets? At the Museum of the Earth, this includes the Digital Atlas of Ancient Life an open access paleontology textbook, 3D digital scans of fossils and modern specimens, virtual exhibits, and resources for teachers. It’s a phenomenal resource.

Well, if the museum does close, what happens to those digital assets?

Who might adopt them, and where would the money come from to maintain them?

And if they aren’t adopted, might they be lost to the world?

Well, with that preamble, I’d like to bring on stage our special guest today, Nik Honeysett.

Nik is the Director and CEO of Balboa Park Online Collaborative, also known as BPOC. A San Diego based nonprofit consultancy that connects audiences to art, culture, and science. He’s also a long time CFM thought partner and an adviser on digital issues. We’re dropping into the chat a link to a blog post Nik wrote earlier this year on investing in digital resillience.

So welcome, Nik. Thank you for joining me for Future Chat.

Nik Honeysett:

Absolutely. Beth, Elizabeth, how are you doing?

Elizabeth Merritt:

I’m good.

So, you helped me pick this story because we both thought it had disturbing but really interesting implications. Based on your experience, what are some thoughts you have about this story, which as futurists would say, is a potential signal of change?

Nik Honeysett:

It’s a challenge. Right? And so, as you said, we we have half of what we do is IT support. So, we’re in in this world of ensuring that we are supporting institutions with the technology. Um, we’ve had failures ourself and and I I was I was trying to figure out how to kind of introduce this concept of risk. Right? And so, where I landed was computer warranties. Right? So, whether you are, you know, you’re purchasing purchasing a laptop, purchasing a desktop, or you’re purchasing a server, and they come with a warranty. And maybe the warranty is three years.

What what does that three-year warranty mean?

It means that the manufacturer is only guaranteeing that that thing works for three years.

Right? That’s essentially what they’re saying. And so anytime up when and we’ve all experienced it. Right? Whether it’s a washing machine or a tumble dryer or a computer, it’s like,when the three years is up, things start to happen. Right? And sometimes literally the day before. And the reason the reason for that is that that timeline is based on what’s called the MTBF, right, which is the mean time between failures. And so that is how warranties are constructed. And, obviously, you know, you can buy an extended warranty for a lot more money because they know things are gonna fail. So, you know, these manufacturers are telling you this thing has a life expectancy, and so, do something about it.

But I think this, we’re faced with a number of critical issues here. So, one is the hardware itself failing. Right? And one is the kind of digital fail that can happen. And sometimes those two things are connected. And a short story: So, a museum in the park that we support who for a couple of years, have been trying to find funds to replace their server. It was about ten years old. And, of course, the year they get the funds is the- before they buy the new server, is the year that the server fails. You know, there’s about 20 terabytes of data on there. And so, it’s backed up every night, etcetera, etcetera. But to restore 20 terabytes of data, it takes a long time. And our initial expectation was two weeks. And so that and that was critical stuff. Right?

So, for them, is was potentially being down for two weeks. Fortunately, it happened on the Thursday. We were able to recover it over the weekend, so we were we were kinda good.But I think what it points to isI’ve been involved in museum technology for a long time. And what I’ve witnessed is this, um very- an expectation and faith in the reliability of the technology that we’re using, right, which is unwarranted. Right? Just my point about the warranty, this thing’s only gonna last a couple of years. And I think the- it, it’s both heartwarming and concerning. Right? But I think it’s one, one question I would pose to the group is how much do you trust, you know, your infrastructure? And if you don’t know about it, you probably trust it a lot because most of the time, it works. And the problem is that time that it doesn’t work can be really catastrophic. So that’s kind of on the hardware the hardware side. Right? An expectation, you know, plan what is it?

Plan for the worst, expect the best, or whatever that phrase is. But on the on the digital side, theyou know, we see this and anybody who’s followed that link to the blog post. You know, we we have this kind of matrix of,levels of technical competency and investment, and I think that’s that word investment. I’m gonna talk about that in in a minute. What we see at the low end of that is a lot of use of freesoftware and free platforms. And I’ll make a distinction between systems and platforms in in our world. Systems areapplication software that’s being used by staff to do their job. And deliver, you know, programming and operations and then platforms are things that we are not in control of, but we use to engage with kind of audiences or something. So, for example, you know, we see a lot of and I was pleased to see this in the, in the survey. We see a lot of small institutionsthat are- you’re getting some echo on me.

Um, we’re seeing a lot of institutions thattheir kind of core productivity suite, you know, so Google or Microsoft 365 is a personal account. And oftentimes, that survey result that you got is due toa personal setup for the kind of core digital infrastructure for an organization. And when that person goes, that all goes with them. And we’ve had, you know, real problems in in having to kind of figure out how to deal with that and move and migrate those things to, you know, to a business, business email. But I think, fundamentally,it’s that’s kind of at that low end. And I think what frustrates me a lot, and maybe we’ll get some, feedback from the folks on the call on this is this notion of expense versus investmentmindset. You know? In- institutions will invest in things that they think areimportant. And I and I’m I don’t I don’t mean that derogatory, but in in so exhibitions, a lot of investment goes into that.

Marketing, you know, these kinds of very tangible things. A lot of investment goes into. Absolutely. But increasingly, digital is so critical to our operations, yet it’s still viewed as an expense. Right? The way technology came into museums was this kind of free route of no formal, um no formal positions. So, you know, the person who was good with computers, you know, became the IT person kind of thing. So, you’ve seen this gradual evolution of technology in museums, which started off as just this free stuff and somebody else did it. So, it was this you know, now we have real jobs. All that kind of thing. It’s a profession. It’s a discipline. In the same way that curatorial practice is a is a discipline. Technology is so complex to be delivered appropriately, that it it really is, a discipline. So, this notion of well, I don’t wanna buy this thing because it’s gonna cost me a thousand dollars. Is an expense mindset as opposed to if we invest in this platform or this system, this is what it’s gonna give for us. And it seems very hard to convince and I’m and I’m being generic here, and I’m and I’m assuming there are folks on the call who are, to convince leadership about that investment. Right? It took us, like, three years to convince this museum that this this server was they were on borrowed time. This thing was gonna fall over at any day. And so it’s,…

Oh, great. Great. Tom Andrews has absolutely experienced that. Thank you for the thank you for the support, Tom. So, this kind of temporary mindset, right, and this kind of project mindset. You know? Museums are in this kind of mode or beginningkind of middle and end of, like, exhibitions. Right? An exhibition has a beginning, a middle and end, and then we move on to the next thing. What I will say, though, is in COVID, we should look at COVID as this moment when there was a switch fromtechnology expense to technology investment.

Right? And for a period of time, you saw a lot of institutions probably because there’s nothing else to do, investing resources and time and money to connect and with audiences, right, because they couldn’t open the doors.

And and I’ve seen that investment mindset now you know, back out. And what happened during that time, this investment time, was we all connected with people around the world. Right? We all connected with audiences that we never had done previously. But when we all opened again, it it kind of all came back. So that’s been frustrating, for me.

Elizabeth Merritt:

Well, Nik, before we’ve got about two more minutes before we’re gonna go to,

Nik Honeysett:

Okay. Yeah. You need to shut me because I’ll just keep talking about you. breakout. So. No. No. No. I just wanted to jump in and ask youwhen you think about this specific story, when you think about and not looking at Museum of the Earth, specifically necessarily. That’s just a jumping off point.

One of the things that museums are building just in the last few decades are these vast digital assets. And the field already had a problem that many museums don’t have a backup plan for what happens to the physical collections if there is a terrible misfortune and the museum goes away.

It seems to me that with the digital assets, it may be an even bigger problem because first of all, there’s the problem of, yes, if the museum goes broke. But also, museums have not treated their digital assets with the same sort of commitment to long term preservation necessarily that they do with the collections.

So, you might have a museum that says, well, we built up these digital assets, but we have to cut back. We can’t store them anymore. We can’t afford it. And then you have to have some sort of transition. Are you- what are you seeing in the way of commitments or planning to the long-term costs of maintaining what have become these phenomenal resources.

They’re not seen as I believe, the challenges. They’re not seen as real. Right? And I think there isn’t a recognition that the- your profile and your presence is increasingly digital. Right? So the building goes away. You know? That’s a problem. Digital doesn’t have to go away. I mean, if you look so think if you look at the Internet archive. Right? Right, you can go back decades and find your stuff. And I think partly there is a

You know,in some respects, that’s a plan b for some institutions, right, whether knowingly or not.A plan b is, well, our stuff is all on Internet archive. And I’ve and I’ve seen it when there have been requests for, you know, information that not necessarily museums, but that have previously been on digital and now disappeared. It’s like, well, you can get it on Internet archive. I mean, I don’t know whether that should be anybody’s, you know, real plan. But, you know, putting money aside, like, institutions have endowments. Right? Why don’t we set up an endowment for our technology to exist over the next 25, 25 years. I mean, it wouldn’t be anywhere near what you’d need- you know 5%. You know, maybe you need 10,000 a year, right, at the outset. So maybe that endowment is just 100,000 if you keep it at a 10% draw. So, it’s not a hugeit’s not a huge lift to think that this is really possible.

Right? If we could raise money and I have challenges raising, we all probably have challenges raising for technology money. Right? It really is a a challenge. But we really do need to add this to kind of donation development track is real support for technology, which can’t be a zero-sum budget. Right? You can’t start off your next year’s budget saying, well, you know, the technology budget is zero. How do we build it? You know, your technology budget needs to be this kind of long term, all this infrastructure just has to be carrying over and has to be increasing.

Elizabeth Merritt:

I love that. And I especially love the idea of digital endowments. I’m gonna use that. Because it seems like it’s not only budgeting for the short-term cost, and investing in capacity, it’s long term planning. It would be the equivalent of running a capital campaign to build a building without forecasting what you’re gonna need to maintain and staff the building and fill it with programs. Okay.

Nik Honeysett:

Exactly.

Elizabeth Merritt:

This was a great thought leadership experiment and getting people thinking about it. Now we’re gonna transition to our other regular feature of Future Chats by giving all of the attendees a chance to talk to their peers.

We’re gonna break all of you into discussion arms with a couple of- with a question to frame your conversation, and then we’ll bring back together with us at about 40 to compare notes and share thoughts.

And please remember one rule of Future Chat is what’s said in chat, stays in chat. Please hold anything that’s shared by your fellow attendees in confidence, and don’t repair- share- repeat their remarks or share their embarrassing stories of what happened at their institutions with digital failures.

Couple of notes about the breakouts.

While we’re sending you out into rooms of eight, for various reasons, you might find yourself in a room by yourself with only a couple of other people. And you can use the join other room feature to move into a room with more people. Okay? So don’t feel like you’re stuck in a room by yourself.

The other thing is you’re gonna have to enable your mic and your video to allow other participants to see and hear you in the rooms. Okay? So, make sure that your computer is letting you access your mic. Access the video.

The other note is, if you’re joining us via a mobile device, it may not support participation in the breakout rooms. Sorry. That’s just a function of the platform and how it works on mobile versus a lap- versus a computer. So, if you find yourself in that situation, I encourage you to step away, think about the issues, take a break, and reengage with us at 40 when we reconvene to share some thoughts.

Okay. With that in mind, here’s your assignments for the breakout rooms.

First, go around and make introductions, who you are, where you’re based, and your organization. This is a lightning round. Make your intro super short so you have time to dive into exploring our question, which is actually a mini scenario.

You come into your institution tomorrow morning, and while there’s electricity, there’s no connectivity whatsoever. No email, no Wi Fi, no access to cloud storage, no access to internal network. This is true for all of your colleagues. It’s not just your computer. That mean- may mean you can’t access your CRM or your collections catalog or your ticketing systems, as well.

You have no idea why this happened. And you have no idea when it’s gonna come back online. So for you to discuss with your group, what’s your top of line worry about getting through the day? What’s one big thing you have to figure out right now about operating the museum with no connectivity at all? Okay? Now we’re going to be flipping you into breakouts, as I said we’re trying to get 8 people per room, feel free to shuffle yourself-

Welcome back. While people are coming back into the room, I want to remind you that you can use chat to share some of the ideas that surfaced in your discussion rooms.

So, I’d love to hear where did your mind leap to when you contemplated how to get through the day with no connectivity whatsoever?

What are the first things that came up when you were talking to your peers about this? Happened to me? We couldn’t do this. Here’s what our biggest worry was.

I know it will take a few seconds for you to get your thoughts together and begin dropping that in chat. So, while you’re beginning to do that, we’re gonna share a few resources from AAM on cybersecurity. So different kind of disaster, not an issue with the connectivity being lost, but somebody come in and hacked your data and froze it, so you have no access. What can you do to try and make yourself armored against ransomware or other kinds of cyber hacks? We’re gonna drop into chat four great resources from the AAM website that you can use to access information. Okay. So, Nik, while we’re waiting for people to begin to chime in, did anything come up in your thoughts from the room that you were in? Or from your own experience of museums actually having the situation arise that we wrote this new scenario about.

Nik Honeysett:

So, we actually had this scenario happen in in Balboa Park, and our challenge is that it’s a- we have a single pipe coming into the park, and it’s distributed out on a shared service basis. So, if that pipe goes down, then, everybody’s down. And what had happened is, actually, a homeless person had got into a critical cabinet that was outside, and it took- it actually took the utilities people a long time to figure out what the problem was. And so most institutions, you know, their biggest problem is admissions. So, the biggest problem is can’t take, they can’t take revenue. So, for the smaller museums, big problem, particularly it was it was in the summer. And the some of the others were like, we’re just not gonna open.

You know? It was such a critical business problem that they chose not to open. They couldn’t they didn’t have a plan in place to, you know, to figure out, okay, well, this is what we’re gonna do. It was just we we’re just staying close. And it took about it took about a day for them to locate where the problem was because it was an unusual- Again, the scenario, electricity was fine, connectivity was down.

Elizabeth Merritt:

So, some things come up in chat that I hadn’t thought of. Mac comments, so my museum is completely digital with no physical location. We work with website design and management companies and are hosted on WP Engine. Should something go down, that would be crisis level as our museum would pretty much cease to exist.

Never thought of what a backup plan would be for that. So, I have a question from Candice I’m gonna bring to your attention. How do we guide our IT contractor to best protect our online files of all types?

Nik Honeysett:

This kind this kind of conversation came up about, you know, increasingly moving to, cloud supported application- collections management systems. Right? So, you know, let’s I don’t want to pick on gallery systems, but I’m gonna have to because they did have an outage, right? They had a ransomware attack. There was for those who were on their cloud version of TMS, lost connectivity, lost access, and in certain circumstances, actually quite some considerable time. There were some issues with re, kinda reinstalling or reinstating the latest version that they, that they have. And then this you know, the balance between having something on-site that you’re in control of and having something off-site that you are reliant on.

And so, I think that that is a problem. You know, there’s a philosophy of locks, which is lots of copies keeps stuff safe- Keeps stuff safe. There’s the concept of, of having, you know, dual locations, a colocation of your information You know, the concept of backing stuff, ensuring that your back up works. A lot of people tell us that their, you know, their stuff is backed up, But when you ask them, well, when was the last time you retrieved something, you know, it’s oftentimes well, you know, maybe six months ago. You know? That should be a standard you know. That should be an OSP- an SOP is we have backup, but can we get stuff back, from it, and how long does it take? I mean, I think I have to say if you have a if you have a good IT contractor then you should be asking them you know, how are you supporting us in this? If there’s a problem, you know, go through disaster scenarios and ask them what, what is your solution to us avoiding this particular disaster scenario? And so, I, I think you, you shouldn’t Candice, you shouldn’t feel that it is your responsibility to figure that out. You know? Your IT contractor should be providing that. Should be in there in your contracting terms.

Elizabeth Merritt:

I wanted to bring up something that appeared in the comments Marie was commenting that my museum only started charging admission about ten years ago, plus we do have several free days each year. so, we’d consider opening, but not charging admission for that particular day. Now I remember when we had the CrowdStrike outage last July, several museums had to deal with this issue of we can’t sell tickets. So, what do we do? And some museums chose to close, and some museums chose to decide to go free. But it seems like that’s a very specific example of a scenario that management can talk out and have a backup plan. People automatically click in; we know if we can’t issue tickets for whatever reason, here’s what we do. We close, or we let people in for free, and here’s what we’re doing to do that or communicate it or track it.

There- but it’s it also was clear from reading the comments, this is a multifaceted issue because if it’s not a specific outage of one system, there are lots of things that have to go into that decision. You mentioned that in museums increasingly security operates via Wi Fi. So, what happens if your security staff can’t provide adequate coverage? You might be saying, we can let people in for free. And they might be saying, but we can’t cover the galleries. You also mentioned that increasingly HVAC systems may be operating via Wi-Fi, so you know, the issue of letting people in besides, you might be having to lock up the building to try and reduce the air changes if you’re not able to provide active conditioning for 24 hours.

Nik Honeysett:

It’s a very multifaceted problem, this. You know, you think it’s you think it’s simple until you start doing disaster scenario planning. You know, so tabletop exercises would be a really good thing to do of, okay, this is our scenario, and this is how we solve it and just going through that kind of game of figuring out what our relation- what’s our response. And the challenge is, you know, not knowing how long it’s gonna go on for.

That’s the problem. Because if you’re a small museum and you’re not gonna have you’re not gonna be able to do this for a couple of weeks, that’s significant. That’s a real problem, particularly in summer.

Elizabeth Merritt:

So, I’m gonna pull up your idea. This is a tabletop exercise and say this is one concrete suggestion for people who are participating in this webinar is take that very scenario that I gave you more fit to fit your circumstances and do it as a staff exercise to actually come up with a list of here are all the things we’d have to face.

This isn’t a low probability event. I mean, we wish it was lower probability, but when you add up all of the things that can result in this circumstance, it’s something that is very plausibly something that could happen to any institution over a ten-year time frame.

So, what’s the backup plan for all of those facets? What are the implications, and how would you quickly flip into response mode having thought of all of the impacts of not being able to have that connectivity?

Nik Honeysett:

Right.  There’s an interesting comment from Lynn Swain about Lightning Strike.

Never thought of that one. But, you know, cyber- so a couple of cybercrime issues there. The, you know, certainly ransomware is the, the kind of biggest problem with ransomware is the, the cost of it is tied to, crypto.  Right? So when, when, when this when and there’s a lot of, lot of those ransomware still going around that were generated, you know, created years ago when crypto when they thought, well, institutions will just pay this because it’s, you know, it’s cheap. Now it’s significant. You know, we, we had a situation not, not an organization we were managing, but an organization adjacent to the park who got hit by ransomware, and they couldn’t pay it.

They just didn’t have the funds to, to pay it because it was tied to crypto. Price of crypto was way up, and it was it was several thousand dollars, which they were mostly a volunteer organization, and they couldn’t, they couldn’t pay it.

Fortunately, we were able to find just so everybody knows, if you do get hit, by ransomware, you should check for the availability of keys on, on the web. There, we were able to unlock their files based on a key that somebody had posted.

Elizabeth Merritt:

That’s awesome. I didn’t know that there were white hats out there boosting keys to undo ransomware. That’s great.

Nik Honeysett:

It’s and it’s ironically, the ones that have been around longer are the ones where the keys are posted, and those are the ones that are probably more expensive.

Elizabeth Merritt:

The other thing to remember, and again, this is probably for bigger institutions, but more museums are beginning to buy ransomware insurance so that your insurance company can handle the negotiations and pay or not pay for you. And cover hopefully make you whole if you have to pay.

Nik Honeysett:

If anybody has tried to claim the insurance on something, cybercrime, it is incredibly difficult. If you look at the terms and conditions for payout, it is, it is a level of technical sophistication and security that I would argue pretty much every museum isn’t at yet.  I mean, it, it really is a significant challenge. We had, we’ve had a situation when there were there were six, based on the policy, there were six things that the institution failed at, which, meant that they couldn’t claim any insurance.

Elizabeth Merritt:

Okay because they claimed that they weren’t doing due diligence in keeping it from happening.

Nik Honeysett:

Right, right.

Elizabeth Merritt:

Okay. I’m gonna bring up one vulnerability that hasn’t come up in chat yet, but it’s come up with me in personal communications with other museums, so I wanted throw it out there for consideration.

A lot of museums have partner organizations. If you’re a university museum or a government museum, you may have a private 501c3 friends’ organization. Or in some cases, two different nonprofits worked together to operate a, a site. One thing somebody was telling me was they felt very vulnerable because they only had control over policies and procedures and training for the people they hired, but the databases and the data and a lot of the systems were accessed by people from both organizations.

So, then you feel like you don’t have control over being able to protect your firewall access from people who, who need the data, but then aren’t necessarily subject to the same levels of control.

Let’s see what else is coming up in chat.

Nik Honeysett:

Today’s collections management. Yep.

Elizabeth Merritt:

Ah, this is, I like this comment from Mary. We had an HVAC system that worked via Wi Fi, but only the contractor had that access. When we replaced the system, we made sure to have physical ways to control the system on-site and staff access to the Wi Fi part of the system. That’s very good advice.

Nik Honeysett:

Yep. Yeah

Elizabeth Merritt:

Okay, just giving, a last call out to the audience. If you have any particular questions, for Nik while we have him online, is there anything you’d like to ask him?

Oh, gosh. I’m just reading more horror stories in the chat.

Nik Honeysett:

But that, Rachel’s comment about exhibits run-on custom-built systems. Right? That that’s we are reliant on these organizations. Everyone from Google, you know, who shouldn’t be doing evil, that anyway, to, to a situation like this, like single contractor, you know, you, you engaged with that contractor probably because it was the most economic way to do it and it, it gave you what you needed. But the, the possible outcome of that is that they can just decide to pack up one day, and then you’re just left on your own.

Elizabeth Merritt:

I’m gonna bundle two questions for one last quick answer that we can either get into or we could promise to do a blog post on it later. One question is, very straightforward. Is it safe to use cloud backup systems to back up? And a related question, what are a set of best practices for servers, backup, cloud, etcetera, guiding small museums for a checklist?

Nik Honeysett:

I mean, yes, it is. But increasingly, going to cloud means that you have to up your bandwidth. Right? So, you want access to that stuff. I think the, to that, what a best practice is for service backup cloud, etcetera, for a small, I mean, if you’re really a small museum, if you if you can afford- the ideal scenario is, and there are some cloud services that provide this, is you have an on-site storage that is backed up to the cloud, you know, incrementally daily. If if you can afford that, that’s, that’s the best scenario because you’ve got best of both worlds, there. If you can’t afford that, then you’re you should be and so maybe you’re just on premise. Right? So, all your information is on premise. Maybe you have a website, social media, that stuff is you know, that stuffs in the cloud. But if it’s on premise, you should have some kind of- either a system that’s duplicating that and you’re taking it off site, you know, because the danger you face there is that you’re in one location and you could have a disaster in that location and that’s a problem. So regular physical removal of a backup of what you have on-site. That’s kind of right at the at the low end.

Elizabeth Merritt:

Awesome. That sounds like great advice for everyone. I’m gonna offer one takeaway that came to me in reading all this, which was digital risk is real risk, whether it’s from data loss, or hacking or power outages. And also, the long-term cost of maintaining digital assets because if you don’t pay those long-term costs, they’re at risk. So, the big takeaway for me is it’s important to be aware of these risks and account for them in your budgets and policies and plans. Thank you for coming today, and I hope to have the opportunity to get together with you in person at the AAM Annual Meeting in Los Angeles in May.

On the afternoon of Tuesday, May 6, I’ll be teaching a half day workshop on foresight with a focus on how to face the future, cultivate optimism, and defy dystopia. We’re dropping a a link in the chat to a blog post with more information on that workshop and how to register.

On Thursday, May 8 at 10AM, I’ll give my annual whirlwind tour of this year’s TrendsWatch report, and I’ll be looking at digital risk along with the next era of volunteerism and the growing backlash to DEI. And on Friday, Nik is going to be giving a talk at 30, leading a session called Cut through the NOISE: Data-Driven Strategic Planning. So that’s another opportunity connect with Nik and hear some of his thoughts.

To get you amped up for the conference, we’re gonna conclude with a two-minute video previewing what you could expect in LA. So, enjoy, and I hope to see you at AAM 2025.