Ransomware: lessons all companies can learn from the British Library attack

This wasn't the type of cyber attack that can be easily glossed over. The British Library's enormous trove of data - with over 170 million items, including 13 million printed and electronic books, plus hundreds of thousands of periodicals, microfilms, and rare manuscripts - is used by researchers around the world.

Visitors to the library - online or in-person - were left in no doubt of the scale of the problem.

Meanwhile, the Rhysida hacking group demanded a ransom of 20 Bitcoin (approximately £600,000 at the time) for decryption keys and the return of the stolen data.

The British Library, however, announced that it had chosen not to have any contact with the Rhysida gang, let alone pay the ransom:

• Enhance network monitoring capabilities: Legacy network technology may need to be upgraded to ensure that advanced security tools can benefit from full visibility of the network.
  
  
• Retain on-call external security specialists: Having expert external security advice on retainer allows for additional resilience, improved speed of response, and depth of analysis in the earliest stages of an incident.
  
  
• Fully implement multi-factor authentication: Mandate MFA across all internet-facing systems, including supplier endpoints.
  
  
• Enhance intrusion response processes: Conduct thorough security reviews after even the slightest sign of network intrusion in order to prevent attackers from regaining a foothold.
  
  
• Implement network segmentation: Compartmentalise networks to minimise the potential impact of breaches.
  
  
• Practice comprehensive business continuity plans: Regularly practice attack scenarios for maximum preparedness.
  
  
• Maintain a holistic overview of cyber-risk: Routinely escalate all IT risks to senior management, ensuring their understanding for informed decision-making.
  
  
• Modernize systems, eliminate legacy technology: 'Legacy' systems are not just hard to maintain and secure, they are extremely hard to restore. Prioritise continuous investment in modern systems for security and recoverability.
  
  
• Prioritise remediation of issues arising from legacy technology: Address issues stemming from outdated technology as a matter of urgency throughout the organisation.
  

• Prioritise recovery alongside security: Yes, you should invest in preventative measures, but you also need to ensure that you have the capability to rapidly restore systems if an attack should happen.
  
  
• Cyber-risk awareness and expertise at senior level: Improve cyber-risk understanding among senior leadership for strategic investment; consider putting in place a dedicated expert to sit on the board or advise it.
  
  
• Regularly train all staff in evolving risks: Provide role-specific, up-to-date cybersecurity training for all employees.
  
  
• Proactively manage staff and user wellbeing: Include provisions for managing staff and user wellbeing in the aftermath of an attack, some of whom may have had their data compromised or their work disrupted.
  
  
• Review acceptable personal use of IT: Update acceptable use policies to enforce personal data security best practices. The level of intrusion into the lives of individual staff members can be exacerbated where the use of network storage is allowed for personal use.
  
  
• Collaborate with sector peers: Share insights and threat intelligence within your sector to stay informed about common threats and best cybersecurity practices.
  
  
• Implement Government standards, review and audit policies and processes regularly: Meet minimum cybersecurity standards and conduct frequent policy and process reviews. The British Library says it was accredited Cyber Essentials Plus from 2019 until 2022, when changes to the standard meant that it ceased to be compliant pending replacement of some of its legacy core systems. It says its new infrastructure will be built to Cyber Essentials Plus standard in recovery.