British Library cyber attack fallout highlights public sector security weaknesses

The front entrance of the British Library
(Image credit: Getty Images)

The British Library’s 2023 run-in with ransomware gang Rhysida will cost the institution approximately 40% of its cash reserves to rectify, according to reports.

The UK’s national library was shut down by a ransomware attack in late October 2023. When officials refused to pay a £600,000 ( $763,612) ransom, thousands of stolen files were published online by the threat actor group.

The Financial Times, citing a person familiar with the matter, said the library may be forced to spend between £6 million ( $7.65 million) and £7 million ( $8.92 million) out of its £16.4 million ( $20.9 million) reserves to recover from the attack. It’s also not clear how long it will take for its services to become fully operational again.

While organizations of all stripes can fall victim to cyber attacks, public sector institutions can face greater hurdles than equivalent-sized private sector businesses when it comes to protecting themselves.

“There is a global shortage of skilled cyber security professionals and there is simply not enough staff to meet current public sector security challenges”, Kevin Curran, IEEE senior member and professor of cyber security at Ulster university, told ITPro.

“Cybersecurity professionals often command high salaries due to the demand for their skills and nature of the work. Public sector organizations may struggle to meet these salary expectations, which can make recruitment challenging”, he added.

Curran suggests that, while private sector tech giants dominate the recruitment landscape, public sector recruiters are priced out and unable to hire the staff they need.

“The skills required to secure infrastructure are more specialized and harder to find”, Curran went on. “The constantly changing threat environment makes it difficult to find individuals who are up to date with the latest skills and knowledge”.

These factors combined mean many public sector bodies simply have neither the expertise nor the resources to keep up.

The public sector needs to rethink its visibility as a target


An eBook from SecurityScorecard on how to measure your business' cyber resilience

(Image credit: SecurityScorecard)

Discover how your organization can enhance its cyber resilience with proactive threat intelligence


Matt Middleton-Leal, MD EMEA at cloud security firm Qualys, was keen to draw attention to the issue of mindset in the public sector, arguing that many of these organizations don’t view themselves as being in the firing line of cyber crime.

“One of the issues to consider is that many organizations, such as the British Library, may have never considered themselves a target for these kinds of attacks”, he told ITPro.

“They don’t see themselves as private companies that would generate enough revenue to be worth attacking”, he added. “As a direct result of this, they may not have gone through the response planning and implementation of controls around disaster recovery that, say, a financial services company may have done”.

George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.