British Library: Exabeam Insights into Lessons Learned

According to the Exabeam 2023 Threat Detection, Investigation, and Response (TDIR) Report, global spending on cybersecurity solutions reached over $92 billion in 2022, with projections soaring to $170 billion by 2027. Despite these significant investments, the cybersecurity breach that impacted the British Library in October 2023 further reinforces the need for continuous critical conversations among CISOs and cybersecurity leaders. The incident not only highlights vulnerabilities inherent within public sector entities, but also offers a chance for us to reassess our alignment with cybersecurity frameworks and guidelines — in this case, the Department for Culture, Media and Sport (DCMS).

This article contrasts some of the key lessons learned from the British Library breach with insights from the report to shed light on the evolving threat landscape.

Ongoing risk in the public sector

The cyberattack on the British Library in October 2023 is not isolated. Statistics show an alarming increase in cyberattacks targeting the public sector, with an approximate 73% increase in ransomware attacks alone over the past year. In the UK specifically, March 2023 was the “worst month on record” for breach victims. These statistics underscore a pressing need for enhanced cybersecurity measures that not only prevent attacks but ensure rapid, effective responses when they do occur.

Key lessons drawn from the British Library breach and the Exabeam report

Enhanced network monitoring capabilities

While having security measures in place, the British Library saw 600 GB of data exfiltrated,  emphasizing the need for heightened network monitoring and earlier visibility. Echoing this, the Exabeam report reveals that over 70% of organizations reported better performance in cybersecurity KPIs attributing this improvement to enhanced monitoring and automation capabilities. 

Retain on-call external security expertise

The British Library attack highlighted the benefit of third-party providers. The Exabeam report and the DCMS both point to the value of external experts, with 35% of organizations acknowledging the need for more assistance in understanding behavior within their IT environments, showcasing the importance of external cybersecurity expertise.

Enhance intrusion response processes

The swift activation of the British Library’s crisis management plans exemplifies the importance of a robust intrusion response process through effective automation. The Exabeam report supports this, emphasizing the push towards automating the common repeatable processes, with findings showing a significant portion of organizations automating more than 50% of their TDIR workflow, thus streamlining their response to cyberthreats. This is in line with the DCMS’s approach to risk management and internal controls, advocating for practices that optimize efficiency and ensure rapid response to threats.

Maintain a holistic overview of cyber risk

The complexity and segmentation of the British Library’s IT environment contributed to the attack’s persistence and impact, highlighting the necessity of a holistic approach to cyber risk management across multiple segments and a software-defined wide area network (WAN) definition. This is paralleled in the Exabeam report, which notes that, despite a high confidence in TDIR capabilities, organizations acknowledge challenges in the lack of visibility and the subsequent time-consuming nature of investigations, with only 66% visibility into their full IT environments on average.

Regularly train all staff in evolving risks

The British Library’s revision of its staff IT policy on cybersecurity risk training aligns with the DCMSs call for continuous professional development. The Exabeam report amplifies this, revealing that continued internal training is vital for upskilling and addressing knowledge gaps in cybersecurity. A perspective shared by a vast majority of the surveyed organizations.

Prioritize remediation of issues arising from legacy technology

The impact of the incident on the British Library was made worse by its legacy systems. This reinforces the well-documented need to identify, classify and monitor such systems. But it also drives the urgent need for modernization in terms of security, log management, observability, and fast threat detection. The Exabeam report highlights that, despite advancements, 57% of organizations experienced significant security incidents, emphasizing the continuous threat posed by legacy technologies and the importance of modernizing and securing these infrastructures.

A call for enhanced cyber resilience

The British Library’s cyberattack correlating to findings from the Exabeam 2023 TDIR Report underlines the essential elements of a robust cybersecurity strategy. Public sector organizations need to continuously work to align themselves with the principles outlined in the DCMS guidelines, which, in turn, will help them toward a path of a more resilient and robust cybersecurity posture. Many organizations use manual processes and disparate security products to meet regulatory requirements, like the General Data Protection Regulation (GDPR) and the Digital Operational Resilience Act (DORA) for financial organizations. If only performed ad hoc, manual processes can leave organizations at risk for audit failure, fines, and disclosure reporting. Exabeam provides detection rules, models, and compliance reports that show auditors security controls are in place and work as designed.