In October 20223 a cyberattack struck the British Library, which paralysed the Library’s online systems for months and caused an estimated cost of £7m, writes Edgardo Moreno, Executive Industry Consultant, Asset Lifecycle Intelligence Division, at the company Hexagon.
A ransomware gang known as Rhysida managed to steal 490,000 documents and severely disrupt the library’s operations after gaining access via the virtual private network (VPN) that provides employees with remote access using compromised employee credentials. Once it failed to obtain a £600,000 ransom, the gang attempted to auction these documents on the Dark Web before publishing them for free.
On March 8, the Library [St Pancras, London entrance, pictured] published a detailed report about the attack. This article will explore the learnings and takeaways that many companies can find useful, that extend far beyond the cultural sector to industrial companies.
Legacy systems
Many non-specialists still believe in “cybersecurity by obscurity”- the idea that legacy software can be so old and arcane that it somehow prevents cyber-attacks.
The report deals two major blows to that notion. First, it notes that the complexity of its legacy software contributed to the severity of the attack, by allowing the attackers wide access and leading to storing critical data in several places.
In addition, several of these legacy applications cannot be restored after the attack, due to obsolescence and lack of vendor support, making recovery longer and more difficult. “Our reliance on legacy infrastructure is the primary contributor to the length of time that the Library will require to recover from the attack,” the report concludes.
Many organisations should heed this warning: leaving legacy software untouched and unaudited is often seen as “free,” but it is actually a form of deferred costs. And, when a cyber-attack does occur, having to replace critical systems on the spot can result in months of downtime and massive financial implications.
This is a particularly critical takeaway for the industrial sector, where the sheer age and complexity of operational technologies can be seen as a good reason to ignore vulnerabilities. In this case, “cybersecurity by obscurity” is better understood as “cybersecurity by blindness”. A much better strategy is to audit existing systems and prioritise actions and investments based on risks and vulnerabilities.
Network segmentation in incident mitigation
A second broadly applicable lesson from the British Library cyberattack is the importance of network segmentation. “No perimeter can be made entirely secure,” the report notes. “Network segmentation is therefore essential in limiting the damage caused by a successful attack. The Library’s legacy network topology meant that the attack was able to cause more damage.”
Poor network segmentation has multiple consequences. First, it lets attackers wreak havoc and interrupt operations for extended periods, which makes companies more likely to consent to ransoms. It also provides them access to higher-value data, including private information or passwords, that they can use for further financial gain. Adopting a robust, multi-layered approach that segregates networks into different levels is therefore an essential mitigation strategy.
Using automation to counter skills shortages
Another familiar factor that contributed to the cyberattack was that the Library’s technology department “was overstretched before the incident and had some staff shortages which were beginning to be successfully addressed,” the report notes. As the Library finds itself confronted with the necessity to rebuild some of its systems, these shortages are again acutely felt and “will be difficult to remediate without a reconsideration of how the Library remunerates high-demand IT skills.”
The Library’s situation is not unique: a critical step to addressing skill shortages is to automate tedious manual tasks, including inventory management or vulnerability detection, and provide IT teams with a clear sense of risks and priorities. The report notes that a risk factor that was exploited in the attack – the lack of multi-factor authentication for some applications – had been identified in 2022, but not acted upon.
Cyber risk goes all the way
A last important takeaway is the role of corporate culture and senior management in preventing such attacks: “All senior officers and board members need to have a clear and holistic understanding of cyber-risk, in order to make optimal strategic investment choices,” the report notes. “Current risks and mitigations should be frequently and regularly discussed at senior officer level. The recruitment of a board member or board-level adviser with cyber expertise is strongly recommended.”
But companies have yet to catch up. In 12 per cent of large companies, cybersecurity is still handled by a single person, sometimes as part of a broader role. Despite the fact that cyberattacks can cause millions of damages and bring a company to a halt for months, cybersecurity remains all too often a part-time concern, but by looking at the lessons from the British Library cyberattack, organisations can be better prepared for the future.
