Lessons from the British Library

by Mark Rowe

James Watts, Managing Director at the back-up and disaster recovery IT firm Databarracks, runs hie eye over the British Library cyber incident review, released as the institution promised earlier this month.

The British Library [pictured, St Pancras] suffered a ransomware attack in October 2023. It recently published a paper on the lessons from that attack and its subsequent response and recovery.

These types of accounts are rare. The default position for most organisations is to share as little information as possible. We know some victims of ransomware attacks have been told explicitly by their insurance companies not to speak publicly about their attacks. It is hard to criticise this response because there is often little benefit to the victim for sharing information. The real benefit is to others to learn from that experience.

The British Library should be thanked for publishing such a detailed and comprehensive paper, particularly when it highlights its own faults. It is a fascinating read, that we would recommend reading in full. For us, there were several details that really stood out.

The burden of legacy technology

This manifested in multiple ways.

Firstly, the nature of the network contributed to the breach and how far the attackers could reach.

Secondly, a further challenge compared to other attacks is how much worse it made the recovery. Several legacy systems were not able to be recovered due to a lack of support or not being compatible with the more modern, secure environment the British Library moved to.

We think about the difficulty of maintaining, managing, and supporting legacy systems but less about recoverability. It’s hard to migrate legacy systems and that baggage gets heavier over time. This case highlights both the risk it introduces and the challenge of recovery.

Writing your own incident review

The other lesson from this report is that we should imagine writing a similar report for our own organisations. Would you feel differently about your decisions on risk if you later were required to publish a paper following a breach?

In particular, the section around MFA [multi-factor authentication] stands out. Some systems were considered out-of-scope for reasons of practicality and cost. These are the decisions made commonly in risk assessments. However, reading the report, it seems like an obvious mistake. Imagine having the benefit of hindsight, which decisions would not seem so defensible following an incident?

Lessons for the sector

Lastly, the paper ends with sector-wide lessons. The interesting part here is that they’re not very interesting. It’s the same old lessons that we all know: MFA, network segregation, practice your BCP [business continuity planning], train staff etc.

Because these things are familiar, they perhaps don’t get the attention they deserve. When you read them in this report however, they have an urgency that demands action.

These reports are of great value to IT, BC and Resilience teams because they make risk real. Send the report to your risk owners and your board. Use it as the impetus push through changes and make your organisation secure.

Related News

  • Interviews

    CCTV in schools surveyed

    by Mark Rowe

    Based on data covering more than 2,000 secondary schools and academies, Big Brother Watch (BBW) warns that there are more than 100,000…

  • Interviews

    SolarWinds fallout

    by Mark Rowe

    It’s time for threat hunting to go on the front foot, says Miles Tappin, pictured, VP of EMEA at security operations platform…


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing