The British Library cyberattack

The attackers exploited a Terminal Services server installed in 2020 to facilitate remote access. Critically, this server lacked multi-factor authentication (MFA), a known vulnerability flagged years earlier. This highlights the importance of identifying and securing all potential attack surfaces, especially those introduced to support remote work or third-party access.

Action: Conduct regular reviews of remote access points and enforce MFA across all critical systems, particularly those accessible externally.

The attackers used keyword searches (e.g., “passport”, “confidential”) to locate sensitive files, indicating poor data classification and storage hygiene. The lack of structured data governance made it easier for threat actors to locate and exploit valuable information.

Action: Implement data classification policies and ensure sensitive data is stored securely and access is restricted based on role and necessity. It’s also critical to understand the ‘Joiners, Movers and Leavers processes’, how system access is given, and importantly, amended as system access changes based on individuals moving around or leaving the organisation.

The breach was facilitated by compromised third-party credentials. This underscores the need for rigorous third-party risk management, especially when external vendors have administrative access to internal systems.

Action: Regularly assess third-party access rights, enforce contractual cybersecurity standards, and monitor vendor compliance. When privileged access is provided, consider the timeframe to which this applies and when this should cease/change.

The British Library struggled to identify what data had been compromised and where it was stored. This lack of visibility delayed response efforts and complicated communication with affected stakeholders.

Action: Maintain an up-to-date inventory of digital assets and data flows. Use automated tools to track where sensitive data resides and who has access. Ensure that the wider technology environment is understood, including linkages between environments and applications.

The British Library had not adequately tested its response to a ransomware scenario. The attack destroyed servers and disrupted services for months, including access to catalogues, payment systems, and academic resources.

Action: Adopt a threat-led approach to risk management. Conduct regular teaming exercises and simulate ransomware attacks to test detection, containment, and recovery capabilities. Think about playbooks and how to respond to incidents – what can facilitate an effective response. 

The incident revealed gaps in cross-functional coordination. IT, legal, communications, and operations were all impacted, yet recovery efforts were fragmented and slow.

Action: Develop an integrated incident response plan that includes all relevant departments. Ensure roles and responsibilities are clearly defined and rehearsed. Ensure that the right people are consulted and that cyber risk is not regarded as an IT responsibility.