Why Cultural Institutions Are Rich Targets for Cyberattackers

Cultural institutions -- museums, libraries, art galleries, opera houses, and theaters -- are not considered critical infrastructure. Yet, they provide us with difficult to quantify but indispensable value: knowledge, beauty, and music. These institutions are a celebration of the best parts of being human, and they are vulnerable.  

In 2022, a cyberattack on The Metropolitan Opera in New York impacted its website, box office, and call center. In 2023, ransomware group Rhysida targeted the British Library, ultimately leaking stolen data after the library refused to pay the ransom demand, according to The Guardian.  
Cultural institutions are also subject to third-party risk. In December 2023, Gallery Systems, a museum software solutions provider, was hit by a cyberattack. The attack had a ripple effect felt by many institutions, the Museum of Fine Arts Boston, the Crystal Bridges Museum of American Art in Arkansas, and New York’s Rubin Museum of Art among them, according to The New York Times.  

Why are cultural institutions attractive targets for these kinds of attacks, and how can they reduce their risk?  

The Crown Jewels 

What do cultural institutions have that threat actors want? “A lot of times, an organization's digital assets are their crown jewels. Now, when I think of cultural institutions, they also have literal crown jewels,” says Matt Radolec, vice president of incident response and cloud operations at data security company Varonis. 

Related:'Conversation Overflow' Cyberattacks Bypass AI Security to Target Execs

“Because museums are educational and public assets, they’ve been expanding how they can connect the public with the cultural assets they hold, and one of the more recent ways to do that is by digitizing their collections and making this information accessible on the internet,” an American Alliance of Museums spokesperson shares via email. “By exposing these systems and this information cybercriminals can find what systems are used within the museum and try to exploit those systems.” 

In the case of cultural institutions, those digital crown jewels could also be donor data. “A lot of these institutions are funded primarily by donors and philanthropists, and if I can get that information … who are the wealthy individuals or institutions that are donating sometimes exorbitant amounts of money, I'm using a culture institution as a means to an end to then go target those people,” explains Tyler Farrar, CISO of Exabeam, a cybersecurity and compliance company.  

The perception, true or not, of a wealthy donor base makes cultural institutions an attractive target for ransomware groups. If there is money, there could be a willingness to meet ransom demands.  

Related:Cybersecurity's Future: Facing Post-Quantum Cryptography Peril

Museums around the world are repositories of extremely valuable art and artifacts. A breach in digital security could be an attempt to break through physical security as well. “I think the worst-case scenario would be if these attackers use the information to physically steal … pieces of cultural significance,” Andy Stone, CTO of data storage company Pure Storage, tells InformationWeek.  

Attacker Motivation  

Cultural institutions are an obvious target for financially motivated cyberattacks, whether a group is seeking to steal donor data or extort ransoms. These institutions may not even be a selected target. “In a lot of ways, cultural institutions are a target simply by the opportunistic availability and the wide reach of cybercrime,” Radolec points out.  

Money may not always be the ultimate goal of a threat actor. Cultural institutions could be collateral damage in a world of rising geopolitical tensions and politically motivated cyberattacks carried out by nation state actors.  

“If you're an APT actor, you want to take away knowledge. You want to take away culture. You want to take away prosperity because you're engaged in an all-out cyber espionage,” says Radolec.  

Related:Why Cyber Resilience May Be More Important Than Cybersecurity

Publicity could be another motivating factor behind these cyberattacks. Hitting well-known and treasured institutions could earn threat actors notoriety and credibility.  

What Is at Risk 

Cultural institutions face many of the same potential consequences as other organizations if hit by a cyberattack. They may not be able to sell tickets, like The Metropolitan Opera. Sensitive data could be stolen. Those consequences have financial and reputational ramifications. Lost revenue is an obvious impact, but a cyberattack could also impact the relationships an institution has with its donors.  

Larger institutions with more funding are likely able to weather the storm, but there are many smaller ones that may not have the resources and resilience to keep the doors open in the wake of a major cyberattack. “Generally speaking, they operate usually on thin budgets and any impact to those could be devastating and permanently take them out of commission,” says Stone.  

Losing access to a cultural institution -- temporarily or worse, permanently -- has more than just a business impact. When a cultural resource is lost, that hurts the public, too. 

With attacks like the one carried out against Gallery Systems, awareness of cultural institutions’ vulnerability is growing. But Stone expects more incidents will occur before awareness among these potential targets increases significantly.  

“Unfortunately, I think it'll probably take a few of these types of attacks on larger scale, and potentially with some sort of physical result, before institutions really wake up to the fact that they're not immune,” he argues.

Cybersecurity Strategy  

The first step to improving cybersecurity at cultural institutions is recognizing the need. Institutions that have valuable exhibits, art, resources, and performance spaces undoubtedly understand the importance of physical security. Leadership needs to understand that digital security has become another essential tool in protecting their resources and ability to continue serving as valuable cultural resources.   

“They're going to have to earmark certain dollars for certain cyber protections just like they would physical security protections. They just need to be smart and guided in the investment that they make,” says Stone.  

The Cybersecurity and Infrastructure Security Agency (CISA) offers free resources. Foundational cybersecurity frameworks, like ISO/IEC 27001 or the NIST (National Institute of Standards and Technology) Cybersecurity Framework, can give cultural institutions a place to start. “A big part of both of those security frameworks [is] about prioritizing risk, and also ultimately about progress, not about perfection,” says Radolec.  

Who has access to an institution’s digital assets, and how are they accessing them? Even small steps, like implementing multi-factor authentication (MFA), and improving password strength can reduce risk, according to Farrar.  

Many cultural institutions are unlikely to have the resources for an internal cybersecurity team to make use of those resources. Leadership can consider looking to volunteers and tapping donor relationships to get started.  

“There're a lot of people in the community [who] are looking to give back … a lot of people [who] have a deep appreciation for the arts and for culture … want to participate in that,” says Radolec.  

Institutions with bigger budgets can explore working with third-party cybersecurity partners and consider the possibility of cyber insurance. “Other resources that could be potentially available to them are around the concept of a virtual CISO or fractional CISO. That's somebody that's there part-time to advise,” Farrar adds.  

Regardless of budget and resources, incident response planning is essential. Risk mitigation is important, and so is knowing what to do if an attack happens. “What's your communications plan? What's your crisis management plan?” Radolec asks.