It’s not just about hackers or high-tech firewalls. It’s about people—the everyday humans behind the screens. And what it reveals should make every library director, staff member, and IT partner take notice.
People Are Still the Biggest Cyber Risk—and the Biggest Hope
Human behavior—not technology—remains the biggest factor in whether systems stay secure. Many folks know what to do (use strong passwords, enable MFA, install updates), yet fewer than half consistently follow through.
Only about two in five people use multi-factor authentication regularly, and too many delay installing updates. Nearly a quarter have never even heard of MFA.
For library teams juggling public computers, Wi-Fi access, and staff logins, that’s a wake-up call. One forgotten update or reused password can put patron data, staff accounts, and even your library’s reputation at risk.
Cybercrime Is Getting Smarter—and More Personal
- Cybercrime victimization rose again this year—with phishing, identity theft, and online scams leading the pack.
- Deepfake scam calls emerged as a real threat; a significant share of recipients lost money or data.
- The emotional toll is real: victims report stress, anger, anxiety, and even shame.
For libraries, this hits close to home. We serve vulnerable populations, help patrons navigate online forms, and provide public access computers—prime targets for social engineering and phishing attempts.
Training Is Common—But Behavior Still Lags
Here’s the frustrating part: a large majority say training is “useful,” but less than half change their behavior afterward. The top reasons for skipping or tuning out? No time, fatigue, and doubt that training reduces risk.
For libraries, training can’t be a one-time checkbox. It needs to be short, frequent, and grounded in library life—spotting a fake vendor invoice, recognizing a “board member” phishing email, or locking down patron Wi-Fi.
AI Is Already Here—Set Guardrails Now
AI isn’t coming; it’s here. Most workers now use AI tools, and many have shared sensitive work information with them—often without policy or training. That can include board documents or patron communications.
Libraries need clear, calm AI guidelines: what’s allowed, what’s sensitive, and how to use approved tools safely.
Culture Over Technology
Sixty-nine percent say their organization prioritizes cybersecurity—yet nearly half believe coworkers are the biggest IT risk. That sounds harsh, but it’s human. Mistakes happen when people are tired, rushed, or unsure.
Every library needs a culture of psychological safety around cybersecurity—where someone can say, “I clicked something weird—can you check it?” without fear or blame. When people hide mistakes, small issues become big problems.
What Libraries Can Do Now
- Make good habits easy: turn on automatic updates, require MFA, and simplify password management with an approved manager.
- Offer micro-trainings: five- to ten-minute refreshers during staff meetings, focused on one real scenario at a time.
- Publish plain-English policies: especially for AI use, passwords, and phishing reporting—no jargon, just steps.
- Celebrate wins: praise quick reporting and safe choices; don’t just react to mistakes.
Cybersecurity doesn’t have to be scary. It just has to be shared. Strong security isn’t built on firewalls alone—it’s built on trust, teamwork, and a little bit of human grace.
Read the full report: CYBSAFE-Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2025-2026