Post Detail

All tech-enabled systems and services are back up and running at Seattle Public Library this week, roughly three months after a ransomware attack partially crippled the institution and its 27 branches across the city. And cybersecurity experts are praising some of the steps taken to protect against future attacks.

The cybersecurity breach over Memorial Day weekend affected access to staff and public computers, online catalog and loaning systems, e-books and e-audiobooks, in-building Wi-Fi, the library website, and more.

Over the course of its recovery, SPL gave incremental updates on what services it had restored and what work remained to be completed. Cybersecurity experts also previously weighed in on why the library was a target and what such organizations could do to shore up defenses.

The library said in a statement Tuesday that it is working to conduct an assessment of its response to the attack and will issue a public report later this year. But SPL did reveal to GeekWire some of the steps it has taken to prevent future attacks.

“The work to strengthen our systems began prior to the attack, but remaining items in IT’s work plan were expedited after the attack,” said Laura Gentry, head of communications for the library. “Since Memorial Day weekend, the library expedited migration to SharePoint Online, as well as implementation of multi-factor authentication on staff systems — which took place over the course of three days, rather than the weeks-long process we had planned.”

Gentry said SPL also expanded its use of cloud-based Microsoft tools that it had recently implemented for file management and communication needs. The IT staff also leveraged cloud-based infrastructure capabilities and retired some legacy on-premises services to “build back better” post-attack.

The library also re-imaged approximately 1,000 computers (serving both staff and public), forced password updates systemwide, and strengthened password requirements, according to Gentry.

Jim Alkove, CEO of Seattle-based cybersecurity startup Oleria, commended the library for implementing multi-factor authentication and migrating to cloud-based services, calling both essential moves to restore operations and fortify library systems for the future.

While MFA significantly enhances security, Alkove said it’s most effective when it’s deployed comprehensively and uses strong, phishing-resistant methods like FIDO2 keys and passkeys.

“The other critical aspect of ransomware prevention is patching,” Alkove said. “By transitioning to SaaS and cloud environments, SPL has effectively offloaded the responsibility for patch management of critical server assets to vendors that are typically better resourced to maintain patch compliance.” He added that it reduced the attack surface of legacy on-premises systems, which can be a common target for attackers.

Sunil Gottumukkala, co-founder and CEO of Seattle-based cybersecurity startup Averlon, also lauded the move to MFA for staff. It was something he hoped the library would institute when he spoke to GeekWire shortly after the attack in May.

“In terms of moving to cloud services from Microsoft to ‘build back better’ … while that’s good in general, it may not be relevant in terms of defending against future ransomware attacks,” Gottumukkala said Thursday via email. “They should put in a ‘recover and rebuild’ plan that is periodically tested, which they haven’t mentioned.”

He said lack of preparedness could explain why it took the library so long to recover from the attack, but he cautioned that all the details about where SPL spent its time in the recovery process are not yet known.

Alkove agreed that it’s essential that the library’s security protocols are regularly tested, monitored and maintained. Part of that involves solving persistent challenges around “over-provisioning” — meaning providing just the access and permissions users need and nothing more. Alkove said most organizations grapple with a significant over-provisioned user access — creating “a large attack surface for a bad actor” — and Microsoft reports that 95% of access goes unused.

Alkove said recovery timelines can vary widely between organizations, but true resilience goes beyond just getting systems back online.

“The SPL incident, like the recent Crowdstrike incident, highlights the need for every organization to focus on cyber resilience,” Alkove said. “This is why business continuity planning is so crucial. Organizations must continuously update and test their recovery plans to ensure they can respond swiftly and effectively the next time an attack happens.”