Skip navigation Jump to main navigation

We Need to Protect Our Public Institutions from Cyberattacks

By Penny Cagan, Lecturer in the Enterprise Risk Management Program, School of Professional Studies

The British Library occupies a unique place in the United Kingdom. It is one of the largest research libraries in the world, with holdings of more than 170 million items, and serves as a legal depository that collects and catalogs a copy of every book published in the United Kingdom and Ireland.

On October 28, 2023, the British Library suffered a significant ransomware event that brought many of its services to a standstill. The attack was perpetrated by a hacking group called Rhysida, which has been described as a “ransomware-as-a-service” provider. Most services were severely impacted, including the ability to access anything online or to retrieve books from the library or its offsite facility. The library posted in late February 2024 on its website that it continues to experience disruption because of the cyberattack.

The British Library refused to pay a ransom, which was reported to be 20 bitcoins (equivalent to about £600,000), in exchange for access to its data. It is estimated that the cost to the library for recovering its data and online access is approximately £7 million. The ransomware group eventually made most of the data it misappropriated available on the dark web with the message, “Data hunters, enjoy.”

This ransomware event contains lessons about the importance of investing in cybersecurity controls, network security, intrusion detection systems, and education. Training and awareness are important, because at the heart of this case and many like it is the ability of the bad guys to collect the information they need to break into networks through phishing.

Here are some basic controls that all institutions should have in place to protect their information repositories:

  • Regular software updates and patching: Now more than ever, it is critical to regularly patch software as vulnerabilities are identified.
  • Managing end-of-life: When systems and software reach end-of-life status, they may no longer be supported by vendors and patching may no longer be possible. These should be managed carefully until they can be replaced or upgraded.
  • Data security: Sensitive data, including customer, employee, and medical data, must be protected through encryption and controlled on a strict need-to-access basis.
  • Access administration: Access to systems and applications should be carefully managed, with only a select few given the highest clearance and regular reviews of the population of users.
  • Vulnerability scanning: Implementing automated software that scans the environment and alerts of threats and vulnerabilities is a critical component of a cyber risk management program.
  • Risk assessments: Assessing vulnerabilities is critical for understanding where the highest risks reside that require immediate prioritization.
  • Testing: Testing should include simulations of cyberattacks, incidence response recovery plans, ethical hacking to identify potential system weaknesses, and red-team/blue-team exercises that test how well an organization can withstand an actual attack. 
  • Incidence response and recovery plans: It’s critical to have playbooks in place that include the actual steps an organization will take if an event occurs, with roles and responsibilities and communication protocols defined. Regular walkthroughs of incident responses should occur through simulating events and desktop exercises.
  • Industry scans: Industry publications, including those that track cyber events, should be monitored for emerging trends and themes.
  • Education and training: The importance of training every employee cannot be overstated, as the stakes are constantly raised by bad actors.

This event is a reminder that we need to protect our public institutions, such as libraries, utilities, and hospitals, which require resources and expertise to secure critical services. Right now, a week doesn’t go by without a notification from one of our institutions that services have been impacted as the result of a cyberattack. They may not have the budgets of their private corporation counterparts to bolster their defenses against such attacks, but there is nothing more critical than protecting our repository of knowledge.

Views and opinions expressed here are those of the authors and do not necessarily reflect the official position of Columbia School of Professional Studies or Columbia University.


About the Enterprise Risk Management Program

The Master of Science in Enterprise Risk Management (ERM) program at Columbia University prepares graduates to inform better risk-reward decisions by providing a complete, robust, and integrated picture of both upside and downside volatility across an entire enterprise.

Fall 2024 application deadlines for the M.S. in Enterprise Risk Management program are March 15, 2024 for applicants with international documents, and May 1, 2024 for the final deadline. Learn more here.


About the Operational Risk Management Course

Enterprise Risk Management lecturer Penny Cagan's Operational Risk Management course offers a review of the various types of operational risks, such as technology risk (e.g., cybersecurity), human resources risk, and disasters. The course includes case studies, risk analysis frameworks and metrics, and common mitigation techniques, such as insurance, IT mitigation, and business continuing planning.

Authors