While cyberattacks occur daily, few garner as much attention and media coverage as the attack that struck the British Library in October 2023.
The attack, which paralysed the Library’s online systems for months and caused an estimated cost of £7 million, was striking by its magnitude. Yet, the blueprint attackers followed is sadly familiar.
After gaining access via the virtual private network (VPN) that provides employees with remote access using compromised employee credentials, a ransomware gang known as Rhysida managed to steal 490,000 documents and severely disrupt the library’s operations. Once it failed to obtain a £600,000 ransom, the gang attempted to auction these documents on the Dark Web before publishing them for free.
On March 8, the library published a detailed report about the attack. It includes learnings and takeaways that many companies can find useful, far beyond the cultural sector. Here are some of the highlights.
Lack of visibility over your legacy systems is putting you at risk (and slowing down incident recovery)
Many non-specialists still believe in “cybersecurity by obscurity”- the idea that legacy software can be so old and arcane that it somehow prevents cyber-attacks.
The report deals two major blows to that notion. First, it notes that the complexity of its legacy software contributed to the severity of the attack, by allowing the attackers wide access and leading to storing critical data in several places.
In addition, several of these legacy applications cannot be restored after the attack, due to obsolescence and lack of vendor support, making recovery longer and more difficult. “Our reliance on legacy infrastructure is the primary contributor to the length of time that the Library will require to recover from the attack,” the report concludes.
Many organisations should heed this warning: leaving legacy software untouched and unaudited is often seen as “free,” but it is actually a form of deferred costs. And, when a cyber-attack does occur, having to replace critical systems on the spot can result in months of downtime and massive financial implications.
This is a particularly critical takeaway for the industrial sector, where the sheer age and complexity of operational technologies can be seen as a good reason to ignore vulnerabilities. In this case, “cybersecurity by obscurity” is better understood as “cybersecurity by blindness”. A much better strategy is to audit existing systems and prioritise actions and investments based on risks and vulnerabilities.
Network segmentation is key to incident mitigation
A second broadly applicable lesson from the British Library cyberattack is the importance of network segmentation. “No perimeter can be made entirely secure,” the report notes. “Network segmentation is therefore essential in limiting the damage caused by a successful attack. The Library’s legacy network topology meant that the attack was able to cause more damage.”
Poor network segmentation has multiple consequences. First, it lets attackers wreak havoc and interrupt operations for extended periods, which makes companies more likely to consent to ransoms. It also provides them access to higher-value data, including private information or passwords, that they can use for further financial gain. Adopting a robust, multi-layered approach that segregates networks into different levels is therefore an essential mitigation strategy.
Skill shortages make it essential to free up IT teams from tasks that should be automated
Another familiar factor that contributed to the cyberattack was that the Library’s technology department “was overstretched before the incident and had some staff shortages which were beginning to be successfully addressed,” the report notes. As the Library finds itself confronted with the necessity to rebuild some of its systems, these shortages are again acutely felt and “will be difficult to remediate without a reconsideration of how the Library remunerates high-demand IT skills.”
Any company can relate: According to the Government’s Cyber Security Skills in the UK Labour Market 2023 report, there is a shortfall of 11,000 qualified professionals and 37% of cyber vacancies are hard to fill. A compounding factor, in this case, is that IT teams were busy servicing legacy applications and performing manual data-handling tasks that could have been automated.
The Library’s situation is not unique: a critical step to addressing skill shortages is to automate tedious manual tasks, including inventory management or vulnerability detection, and provide IT teams with a clear sense of risks and priorities. The report notes that a risk factor that was exploited in the attack – the lack of multi-factor authentication for some applications – had been identified in 2022, but not acted upon.
Your board should “own” cybersecurity
A last important takeaway is the role of corporate culture and senior management in preventing such attacks: “All senior officers and board members need to have a clear and holistic understanding of cyber-risk, in order to make optimal strategic investment choices,” the report notes. “Current risks and mitigations should be frequently and regularly discussed at senior officer level. The recruitment of a board member or board-level adviser with cyber expertise is strongly recommended.”
This reality is increasingly acknowledged at the institutional level: in the EU, the NIS2 directive imposes direct obligations and liabilities on the senior management of companies in 35 industries to reinforce their organisation’s cyber defences.
But companies have yet to catch up. In 12% of large companies, cybersecurity is still handled by a single person, sometimes as part of a broader role. Despite the fact that cyberattacks can cause millions of damages and bring a company to a halt for months, cybersecurity remains all too often a part-time concern – until it’s too late.
By Edgardo Moreno, Executive Industry Consultant, Asset Lifecycle Intelligence Division, Hexagon
