I’ve been thinking a lot about incident reporting, transparency, and vulnerability when it comes to cybersecurity. Earlier this year, I wrote an article for Forbes on the critical need for more vulnerability (read: less machismo) in the industry. The article touched on the language that surrounds cybersecurity (defenders, strength, etc.) and the problem with how many cyber organisations market themselves, as well as what organisations need to do to forge a better future. But what about embracing vulnerability when you’ve been breached?
Lessons learned: the British Library cyber attack
When I attended CyberUK at the ICC Birmingham (13th - 15th May), I saw Sir Roly Keating, CEO of the British Library, do a talk on emotional intelligence and incident reporting. Although it has been widely covered, for reference, the British Library was attacked in October 2023 by Rhysida, an APT Group, and ransomed for 20 bitcoins (around £596,000). The gang stole 600GB of files, including the personal data of Library users and staff. In March 2024, the organisation released a report, Learning Lessons From the Cyber-Attack: British Library Cyber Incident Review, outlining everything about the incident: bones and all. This report was widely hailed for its transparency and insight.
Often, the truth is uncomfortable: being vulnerable requires courage, but not without some risk. Risk of being scolded by peers, knowing that what you did or didn’t do will be spoken about, knowing that your staff, employees, and customers are at risk too, emotionally and sometimes physically (depending on data stolen).
The British Library attack report is just that: uncomfortably transparent. The report states that their “specialist cyber security advisers concluded that it is not possible to be certain of the exact point of entry to the Library’s network, due to both the severe damage caused to [the] server estate and the range of IT projects being undertaken with third party support.” However, they go on to list the reasons that may have contributed to the attack, including lack of MFA, the increasing use of third-party providers within the network, migrating to remote usage during the pandemic (legacy IT), and providing varying levels of access to “numerous trusted partners for software development, IT maintenance, and other forms of consultancy.” Rookie errors that make for an uncomfortable read, but hindsight is a marvellous thing.
An educational warning call to other institutions.
Whilst it could be easy to scrutinise the security posture (or lack thereof) of the organisation, what I’m really interested in is the response to the attack. The report is brutally honest and makes for a read that sometimes leaves you wincing, especially as a security professional. But, first and foremost, the British Library is a knowledge institution, a cultural hub. They know that knowledge is power. Importantly, the report serves as an educational warning call to other institutions.
A model for effective communications
In many cases, these incidents are often active and ongoing crime scenes, especially when initially reported. The British Library’s response foregrounded emotional intelligence and empathy in its approach. The report notes: “Our communications process ensured that staff always saw updated external communications (e.g., external statements, blog posts by the CEO) before the public, giving them the opportunity to digest the latest developments in advance of user queries.” Additionally, the institution engaged with trade unions to address staff concerns. Emphasising collective resilience, the response was a mix of policy and action, with a thorough line of consistent and constant communication.
It is clear that the organisation kept open lines of communication with everyone affected throughout the process and that they were as transparent - and vulnerable - as possible, despite the incident and recovery being ongoing. Importantly, knowledge matters in a time of crisis. Foregrounding mental health in incident response is woefully underrated.
As always, it’s imperative that organisations think of themselves as good targets, regardless of the data they hold or don’t. Any and all organisations are up for grabs when it comes to relentless, opportunistic cybercriminals. But we must learn from others. Cybersecurity has always been a place of community and sharing (see open-source efforts). We’re stronger together.
Accountability and Transparency
Finally, what you do or don’t do will be noticed—and noted. Take the 23andMe breach, where they blamed end users for their breach. This ruffled feathers with the press, current customers, and prospective customers and landed the company a class action lawsuit. Sometimes, taking accountability and being transparent is the best route. As always, it’s time to be a little bit more vulnerable.