Case Study: The CISO’s Real-World Playbook

Finding a detailed and transparent case study on cybersecurity incidents can be challenging. Many organisations, when hit by a cyberattack, choose to disclose minimal details, often citing confidentiality concerns or ongoing investigations. Victims also tend to present themselves as blameless, emphasising their helplessness rather than acknowledging potential security oversights. Additionally, in many cases, the exact attack vectors remain undisclosed or inadequately explored, either due to a lack of forensic investigation or an unwillingness to reveal weaknesses. This lack of transparency makes it difficult to analyse incidents objectively and extract valuable lessons.
This is why we have chosen the British Library cyberattack as our case study. Unlike many other victims, the British Library openly shared information about the attack, including the vulnerabilities that were exploited and the impact on their systems. Their approach provides a rare opportunity to examine the incident in detail and assess how stronger cybersecurity leadership—such as having a Chief Information Security Officer (CISO) - could have mitigated or even prevented the breach.
Case Study
In late October 2023, the British Library experienced a significant cyber-attack orchestrated by the Rhysida ransomware group. The attack led to extensive disruptions in the Library's operations and compromised sensitive data.
The incident began on October 28, 2023, when the Library detected a major IT outage, later identified as a ransomware attack. The attackers encrypted or destroyed substantial portions of the Library's server infrastructure, rendering many online systems and services inoperable. Approximately 600GB of data, including personal information of users and staff, was exfiltrated. Following the Library's refusal to pay the ransom, the attackers released a significant portion of the stolen data on the dark web, exposing sensitive personal information and leading to potential security risks for those affected. The attack severely disrupted the Library's services, including its website, online systems, and some onsite services. The destruction of server infrastructure hindered the Library's ability to restore services promptly. Recovery efforts were estimated to cost the Library between £6–7 million, consuming about 40% of its financial reserves. This significant financial impact underscored the high cost of addressing such cyber incidents. The release of personal data on the dark web exposed users and staff to potential security threats, including identity theft and fraud. The Library had to undertake extensive efforts to notify affected individuals and provide guidance on protective measures.
Opportunities
The absence of a Chief Information Security Officer (CISO) likely contributed to these weaknesses. A dedicated CISO could have implemented several measures to prevent or mitigate the impact of such an attack:
- Implementation of multi-factor authentication (MFA): The attackers gained access through a Terminal Services server that lacked MFA, a critical security oversight. A CISO would have prioritised the implementation of MFA across all systems, including remote access points, to prevent unauthorised entry.
- Regular security audits and risk assessments: The Library's complex and outdated IT infrastructure, with many legacy systems, contributed to the severity of the attack. A CISO would have conducted regular security audits to identify and address vulnerabilities, ensuring that legacy systems were updated, replaced, or adequately protected.
- Network segmentation: The attack was exacerbated by a lack of network segmentation, allowing attackers broader access once inside. A CISO would have implemented network segmentation to contain breaches and prevent lateral movement within the network.
- Third-party access management: The initial breach likely involved compromised credentials from third-party partners. A CISO would have established stringent access controls and monitoring for external partners, ensuring that third-party access was limited and secure.
- Incident response planning: The Library faced prolonged disruptions and significant financial costs due to the attack. A CISO would have developed and implemented a comprehensive incident response plan, enabling a more efficient and effective reaction to security incidents, thereby minimising operational and financial impacts.
In summary, the presence of a CISO could have addressed critical security gaps through proactive measures, potentially preventing the attack or reducing its impact.