UK museums ignored the British Library warning, and the lesson is not about museums

· Carl Heaton · Security Commentary

The Public Accounts Committee, the cross-party group of MPs that scrutinises how public money is spent, has told UK museums and galleries that they have not learned the lesson of the 2023 British Library ransomware attack and remain highly vulnerable. The PAC chair, Geoffrey Clifton-Brown, was direct about where the failure sits: the institutions "are being let down by a lack of leadership" from the Department for Culture, Media and Sport.

It is tempting to read this as a story about museums. It is not, or not only. The British Library was hit by the Rhysida ransomware group in October 2023, lost much of its digital service for months, and the lessons were written up in public for anyone to read. Two years later, MPs find the sector still exposed. The interesting question is not "why are museums bad at security". It is "why did a clear, public, expensive warning fail to change behaviour at organisations that had every reason to pay attention". That question is the one every business should sit with, because the answer is rarely about technology.

What the committee found

The PAC's verdict is that the cultural sector has taken a reactive approach rather than getting ahead of the risk. It found no concrete examples of protective actions the sector had taken in response to high-profile attacks. It criticised DCMS for a hands-off approach, and pointed to weak information-sharing between institutions, so that a lesson learned painfully by one was not passed to the others.

The committee was clear that this is not a niche concern. UK museums and galleries generated £563 million in income in 2024-25 and draw millions of visitors. That makes them attractive targets: they hold money, data, and reputations, and disruption to them is highly visible. The British Museum featured too, having suffered an incident later determined to be an inside job, a reminder that the threat is not always external.

The recommendations are the ones you would expect: DCMS should set out concrete actions, support better information-sharing, help with the skills shortage, and stop treating security as somebody else's problem. Sensible, and slightly beside the point. The recommendations describe what good looks like. They do not explain why two years of a public, well-documented disaster did not produce it.

Why the warning did not land

Here is the part worth more than the report itself. The British Library attack was not a secret. The library published a detailed, honest review of what happened. The security press covered it heavily. The lessons were available, free, to every institution that might be next. And the sector still did not move.

That happens for reasons that have nothing to do with museums and everything to do with how organisations think about risk.

"That was them, not us." It is remarkably easy to read about another organisation's breach and quietly conclude it does not apply to you. They were bigger, or more famous, or used different systems, or were just unlucky. The British Library is a national institution; a regional museum can persuade itself it is too small to be worth attacking. Every business does a version of this. The attack on a competitor becomes a story you watch rather than a warning you act on.

No owner. A warning with no individual responsible for acting on it produces a discussion, not a change. The PAC's complaint about leadership is really this: nobody owned the response across the sector, so the response did not happen. Inside a single business it is the same failure at smaller scale. "We should look at that" said in a meeting, with no name attached and no date, is how good intentions die.

Security competes with everything else. A museum's budget fights between conservation, exhibitions, buildings, and staff. Security loses that fight until it becomes an emergency, at which point it wins decisively and expensively. An SME's budget works the same way. The patch, the backup test, the access review: each loses to the thing that is on fire today, right up until it becomes the thing on fire.

None of these are technical problems. All of them are why a clear warning failed.

The belief that does the most damage

Of all of these, "we are too low-profile to be a target" is the one worth pulling out, because it is both the most common and the most wrong.

It used to contain a grain of truth. When attacks were hand-crafted, attackers picked targets worth the effort, and a small organisation could reasonably hope to be beneath notice. That world is going. Modern attacks are largely indiscriminate: automated scans look for any exposed weakness, ransomware groups hit whoever they can reach, and, as the Five Eyes recently warned, AI is making it cheaper to attack everyone rather than just the valuable few. You are not too small to be attacked. You are, at most, too small to make the news when you are.

That last point matters, because "we would have heard about it" is part of why low-profile feels safe. Small organisations get breached constantly. You do not read about most of them. The absence of headlines about businesses like yours is not evidence that businesses like yours are safe. It is evidence that businesses like yours are not newsworthy.

What to actually do

The lesson from the PAC report, for a business that is not a museum, is not a list of controls. It is a question and a habit.

The question: when you read about an attack, do you act, or do you watch? Next time a breach in your sector, or a supplier, or a competitor crosses your desk, treat it as a drill. Ask one thing: could that have happened to us, and if it did, what would have stopped it. Then do the one thing the answer points to. Most organisations consume breach news as entertainment. The ones that get better consume it as a free lesson someone else paid for.

The habit: give security an owner and a calendar. The PAC's core complaint was leadership, and that is fixable in a small business in an afternoon. Name one person responsible for security, even if it is the managing director and even if it is a fraction of their week. Put a recurring slot, monthly is plenty, to ask three questions: what changed, what is overdue, what did we learn from anyone else's bad week. Security that lives on someone's calendar gets done. Security that lives in good intentions does not.

The British Library wrote down its disaster so others would not repeat it. Two years on, a committee of MPs is the proof that publishing a lesson is not the same as anyone learning it. The difference between the institutions that act and the ones that do not is not budget or sophistication. It is whether someone owns it, and whether they treat other people's breaches as warnings or as television.

How Steelwise can help

If reading this prompted the thought "we are probably one of the ones watching rather than acting", that is the useful instinct. Giving security a clear owner and a simple monthly rhythm, and turning the last breach you read about into an actual check of your own setup, is exactly the kind of practical start we help with. Get in touch.

Further reading

← All filings