You need to talk to your board about cybersecurity. Every time you try, one of three things happens:

  1. They glaze over when you mention “multi-factor authentication”
  2. They panic and think you’re saying the library’s been hacked
  3. They ask “Why didn’t this come up last year?” and shut down the conversation

You’re speaking IT. They’re hearing budget threat.

Here’s the script that gets cybersecurity funding approved without board panic or political fallout.

The Three-Slide Presentation That Gets Budget Approval

Your board has 15 minutes, maybe 20. Show them this:

Slide 1: “This Is Happening to Libraries Like Ours”

  • Seattle Public Library (May 2024): Recovery cost: $1,000,000
  • Toronto Public Library (October 2023): Couldn’t check out books for 4 months. 1 million returns stored in tractor trailers.
  • British Library (October 2023): Catalog offline for 78 days. Recovery cost: £7,000,000 (40% of their reserves)
  • Baker & Taylor (August 2022): 17-day outage. 5,000+ libraries couldn’t order books.

(Read more about what happened to the British Library and US library ransomware attacks you haven’t heard about.)

The line that matters:

“These aren’t theoretical risks. These are peer institutions that got hit in the last 24 months. They all thought ‘it won’t happen to us’—until it did.”

Show logos. Make it real.

Why this works: Boards respond to peer comparisons. “This happened to libraries like ours” beats “Cybersecurity experts say…”

Slide 2: “Here’s What It Would Cost Us”

ScenarioPrevention CostRecovery Cost (if attacked)
Do nothing$0$250K-$1M (based on Seattle)
Basic security (our proposal)$25K-$50K/year$50K-$100K (much faster recovery)
Comprehensive security$100K+/year$10K-$50K (minimal disruption)

The line that matters:

“Seattle spent $1 million recovering. For a fraction of that, we reduce our risk by 90% and speed recovery if something happens.”

Add this: Library of Congress was attacked the same day as British Library. They had multi-factor authentication. They weren’t breached. It’s often free with existing systems.

Why this works: Boards understand ROI. “Spend $25K to avoid spending $1M” is simple.

Year 1: Foundation (Budget Request: $20K-$30K)

  • Cyber insurance: $15K-$25K
  • Security audit (one-time): $10K-$15K
  • Plus free actions: MFA everywhere, backup testing, staff training

What this gets us:

  • Insurance coverage for breach costs
  • Professional assessment of vulnerabilities
  • Quick wins that close major security gaps

Year 2: Remediation (Budget Based on Audit: Est. $30K-$50K)

  • Fix critical issues from Year 1 audit
  • Upgrade backup systems
  • Enhanced staff training

Year 3: Ongoing Maintenance (Budget: $20K-$30K/year)

  • Annual security reviews
  • Insurance renewal
  • Continued training
  • Vendor security oversight

The line that matters:

“We’re not asking for $100K upfront. We’re asking for $20K-$30K in Year 1 to establish a foundation, then adjusting based on what the audit tells us.”

Why this works: Phased budgets feel manageable. You’re not dropping a huge unfunded mandate.

The Exact Language That Works

Opening (30 seconds):

“I want to talk about cybersecurity. Not because we’ve been attacked—we haven’t. But because in the last two years, three major libraries were hit with ransomware attacks that cost them millions and months of downtime. I want to make sure we’re not next.”

Why this works: You establish urgency without panic. “We haven’t been attacked” prevents freakout. “I want to make sure we’re not next” establishes leadership.

The Ask (60 seconds):

“Based on what happened to Seattle, Toronto, and the British Library, I’m recommending a three-tier approach starting with a $25K investment in Year 1 for cyber insurance and a security audit. This is like fire insurance—we hope we never need it, but if we do, it covers most of the cost.”

“Seattle spent $1 million recovering. Our Year 1 ask is 2.5% of that cost. It’s not a question of if ransomware attacks continue—they’re accelerating. It’s a question of whether we’re prepared when it happens.”

Why this works: Insurance is a concept boards understand. Clear ROI: 2.5% of recovery cost.

Handling Objections

“Why didn’t this come up last year?”

“Great question. Ransomware attacks on libraries increased dramatically in 2023-2024. British Library and Toronto were both hit in October 2023. Seattle in May 2024. This went from low probability to peer libraries being hit regularly. We’re responding to a rapidly changing threat landscape.”

“Can’t IT just handle this?”

“Our IT staff are excellent, but cybersecurity requires specialized expertise. British Library had professional IT—they still needed outside forensic investigators. The $1M Seattle spent was mostly on specialized consultants. We need those experts before we have an incident, not after.”

“What if we just don’t pay the ransom?”

“British Library, Toronto, and Seattle all refused to pay—good for them. But recovery still took 3-4 months and cost $1-7M. Not paying doesn’t make recovery free or fast. Our goal is to prevent attacks and minimize recovery time if one happens.”

“Is this really a priority compared to books/programs/staff?”

“It’s not either/or. If we get hit like Toronto, we can’t check out books, run programs, or provide services for months. Our Year 1 ask is about 1-2% of our annual budget to protect 100% of our operations.”

The Budget Breakdown by Library Size

Small Library (1-3 branches, under $1M budget):

Year 1 Investment: $5K-$15K

  • Cyber insurance: $5K-$10K
  • Security audit: $5K-$10K (use state consortium or community college IT program for discount)
  • Free actions: MFA, backup testing, staff training

Realistic alternatives if you have $0:

  • Join state library consortium for group cyber insurance rates
  • MS-ISAC free membership (federal program for state/local governments)
  • Partner with local community college IT security program for free audit
  • Shared IT security staff with city/county government

Medium Library (5-25 branches, $5M-$15M budget):

Year 1 Investment: $20K-$50K

  • Cyber insurance: $15K-$30K
  • Security audit: $10K-$20K
  • Incident response retainer: $5K-$10K
  • Free actions: MFA, backup testing, staff training

Large Library (25+ branches, $15M+ budget):

Year 1 Investment: $50K-$150K

  • Cyber insurance: $30K-$50K
  • Comprehensive security audit: $25K-$50K
  • Incident response retainer: $15K-$25K
  • Managed security services (optional): $25K-$50K
  • Free actions: MFA, backup testing, staff training

Key point: Scale to your budget. Don’t let “we can’t afford $50K” stop you from doing the $5K version. Some protection is infinitely better than zero.

The “But We Have No Money” Strategy

When your board says “We’d love to, but there’s no budget”:

Strategy 1: Reallocate Existing Funds

“I understand we’re budget-constrained. We’re currently spending $X on [identify low-priority line item]. If we reallocate $20K from that to cybersecurity in Year 1, we establish baseline protection. Then we revisit annually.”

Possible reallocations:

  • Delay a facility upgrade by one year
  • Reduce professional development travel (use virtual conferences)
  • Defer a non-critical technology refresh
  • Reduce marketing budget slightly

Strategy 2: Emergency Reserve Funding

“Our emergency reserves are designed for unexpected crises. A ransomware attack is exactly that kind of crisis. Seattle spent $1M from reserves recovering. Can we allocate $20K proactively from reserves to prevent spending 50x that amount reactively?”

Strategy 3: Grant Funding

“I’ll apply for IMLS, state library, or regional foundation grants to fund Year 1 security improvements. In the meantime, I’ll implement all the free actions—MFA, backup testing, staff training.”

Real grants to pursue:

  • Institute of Museum and Library Services (IMLS)
  • State library development grants
  • Regional library consortia security grants
  • Local foundation grants (position as “protecting community access to library services”)

Strategy 4: Multi-Year Gradual Approach

“If $25K in Year 1 isn’t feasible, let’s phase it: $10K this year for cyber insurance only. Year 2: Add the security audit. Year 3: Address findings. It’s not ideal, but it’s better than zero.”

The Follow-Up Memo Template

After your presentation, send this:

TO: Library Board of Directors FROM: [Your Name], Library Director DATE: [Today’s Date] RE: Cybersecurity Investment Proposal – Follow-Up

Thank you for the opportunity to present on library cybersecurity risks. I’m recommending a phased investment starting with $[X] in [Year] to establish baseline protection.

Key Points:

  • Three major libraries (British Library, Toronto Public Library, Seattle Public Library) experienced ransomware attacks in 2023-2024 with recovery costs ranging from $1M-$7M
  • Library of Congress survived an attack because they had multi-factor authentication enabled
  • Our proposal: $[X] investment in Year 1 for cyber insurance and security audit (2-3% of typical recovery costs)

Requested Action: Approve $[X] budget allocation for FY[Year] cybersecurity program, to include:

  1. Cyber insurance: $[X]
  2. Security audit: $[X]
  3. Implementation of free/low-cost security measures

Next Steps if Approved:

  • Secure cyber insurance quotes (3-4 vendors)
  • Solicit security audit proposals
  • Implement MFA across all library systems within 60 days
  • Brief staff and create patron communications

Alternative if Budget Not Available: I will pursue grant funding and implement all free security measures immediately. However, without cyber insurance, the library assumes 100% financial risk for a potential $1M+ breach recovery.

Respectfully, [Your Name]

Why this works: You’ve documented your recommendation. If the board says no and you get breached later, you have evidence you raised the issue and were denied resources.

The Nuclear Option: When Your Board Won’t Act

If your board refuses to fund cybersecurity:

Document everything.

Send a formal memo stating:

  • You’ve identified significant cybersecurity risks
  • You’ve provided cost estimates for mitigation
  • You’ve explained potential consequences
  • Board declined to allocate funding
  • Library assumes all financial and operational risks

Copy this memo to:

  • All board members
  • City/county legal counsel (if applicable)
  • Your liability insurance provider

Why this matters: If you get breached and sued, you need evidence you tried to prevent this and were denied resources. This protects you personally.

Then do everything free:

You can’t eliminate risk with zero budget, but you can reduce it significantly. And you’ve documented that you tried to do more.

Frequently Asked Questions

How much does library cybersecurity cost?

Basic cybersecurity costs $5K-$30K annually depending on library size. Small libraries can start with $5K-$15K for cyber insurance and a security audit. Medium libraries need $20K-$50K. Large library systems require $50K-$150K. This is 1-2% of your annual budget to protect 100% of operations.

What is cyber insurance for libraries?

Cyber insurance covers ransomware recovery costs, forensic investigation, legal fees, and notification costs if patron data is breached. For libraries, it typically costs $5K-$50K annually depending on size. Seattle Public Library spent $1M recovering from ransomware—insurance would have covered most of that.

Can small libraries afford cybersecurity?

Yes. Small libraries can join state consortia for group cyber insurance rates, use MS-ISAC free membership, partner with community colleges for free security audits, or share IT security staff with city/county government. Many critical protections (MFA, backup testing, staff training) are free.

What should I tell my board about ransomware?

Tell them three peer libraries (British Library, Toronto, Seattle) were hit in 2023-2024 with recovery costs of $1M-$7M and 3-4 months of service disruption. Present it as insurance: spend $25K to avoid spending $1M. Don’t make it technical—make it about protecting services and controlling costs.

How do I get board approval for cybersecurity funding?

Use a three-slide presentation: (1) Show peer library attacks with dollar amounts, (2) Compare prevention costs vs. recovery costs, (3) Request a phased approach starting with Year 1 basics ($20K-$30K) then adjusting based on audit findings. Frame it as insurance, not IT projects.

What Success Looks Like

If you execute this successfully, here’s what you’ll have in 12 months:

  • Board buy-in on cybersecurity as ongoing priority
  • Cyber insurance covering breach response costs
  • Professional security audit identifying specific vulnerabilities
  • MFA enabled across all systems
  • Tested backups confirmed working
  • Trained staff able to recognize phishing and security threats
  • Incident response plan ready to execute
  • Budget commitment for Year 2 remediation and Year 3 ongoing maintenance

And most importantly: You’ll sleep better knowing you’re prepared.

Resources:

Now go schedule that board presentation. They need to hear this.

Authenticity note: With the exception of images, this post was not created with the aid of any LLM product for prose or description. It is original writing by a human librarian with opinions.