top of page

Lessons from the British Library

The Financial Times has reported that the British Library is likely to spend 40% of its reserves on recovering from its October Ransomware attack.

Aside from that £6m-7m, the disruption for the entire organisation continues - their online catalogue is still unavailable and, no doubt, the senior leaders are still working through what is now a 4-month nightmare with little end in sight.

What does this one specific incident tell us about how non-executives and trustees need to think about Cyber Security? Here are four things:

1. Do you Pay? From the attacker’s perspective, the successful end result of a Ransomware attack is to get the victim to pay the Ransom. That’s why the attackers make it easy to pay, sometimes offering Customer Support lines if the victims need help (yes – you really couldn’t make it up).

For the British Library, the ransom was reported as being ~£600k; that’s just 10% of the cost which they will now pay from reserves.

The National Cyber Security Centre (NCSC) give clear advice on paying a ransom:

2. If it can happen to a library, it can happen anywhere. Attempting to hack a bank makes sense, after all, it’s where the money is. But these days, working out who will be the next major cybercrime victim can require a leap of imagination. For this reason, it’s not always wise for a Board to spend too much time on the question of whether an organisation may be a target.

3. Where are your resources focused? I’ve not looked at how strong the British Library cyber defences were. But a good reference point is the Scottish Environmental Protection Agency – SEPA. The external review into their Ransomware attack explained how well prepared they were, but they still suffered a devastating attack.

4. Wherever possible - Go Public. Finally, as with most Crisis Comms advice, being in control of the message always helps. No one likes to admit that they’ve been a victim of an attack, but getting the message out early helps.

And once again, strong backing from the Board is critical.


bottom of page