Lessons from the British Library cyber incident review
The British Library suffered a ransomware attack in October 2023. It recently published a paper on the lessons from that attack and its subsequent response and recovery.
These types of accounts are rare. The default position for most organisations is to share as little information as possible. We know some victims of ransomware attacks have been told explicitly by their insurance companies not to speak publicly about their attacks. It is hard to criticise this response because there is often little benefit to the victim for sharing information. The real benefit is to others to learn from that experience.
The British Library should be thanked for publishing such a detailed and comprehensive paper, particularly when it highlights its own faults.
It is a fascinating read, that we would recommend reading in full.
For us, there were several details that really stood out.
The burden of legacy technology
This manifested in multiple ways.
Firstly, the nature of the network contributed to the breach and how far the attackers could reach.
Secondly, a further challenge compared to other attacks is how much worse it made the recovery. Several legacy systems were not able to be recovered due to a lack of support or not being compatible with the more modern, secure environment the British Library moved to.
We think about the difficulty of maintaining, managing, and supporting legacy systems but less about recoverability. It's hard to migrate legacy systems and that baggage gets heavier over time. This case highlights both the risk it introduces and the challenge of recovery.
Writing your own incident review
The other lesson from this report is that we should imagine writing a similar report for our own organisations. Would you feel differently about your decisions on risk if you later were required to publish a paper following a breach?
In particular, the section around MFA stands out. Some systems were considered out-of-scope for reasons of practicality and cost. These are the decisions made commonly in risk assessments. However, reading the report, it seems like an obvious mistake.
Imagine having the benefit of hindsight, which decisions would not seem so defensible following an incident?
Lessons for the sector
Lastly, the paper ends with sector-wide lessons.
The interesting part here is that they’re not very interesting. It’s the same old lessons that we all know: MFA, network segregation, practice your BCP, train staff etc.
Because these things are familiar, they perhaps don't get the attention they deserve. When you read them in this report however, they have an urgency that demands action.
These reports are of great value to IT, BC and Resilience teams because they make risk real. Send the report to your risk owners and your board. Use it as the impetus push through changes and make your organisation secure.