Of all the sessions I attended at ERC 2022, the scenario presented by Katie Robson and Jen Kaines from the Royal Armouries in Leeds, UK, was the one that made me the most uncomfortable in terms of having the realisation that their subject matter was not only something I was unfamiliar with, but that it was about a risk that both I and my organisation were exposed to.

Their presentation was titled Cyber Attacks! The Risks and Lessons Learnt, and it was an area of work I had not seriously considered before, assuming it would be in the remit of IT personnel to plan for and to react to. What the Armouries presentation made me realise is that a cyber attack is something we all have to plan for in terms of our working requirements, and that any plans we already have would benefit from being revised, learning from the experiences the Armouries had.

Covid has already tested the sector in terms of emergency plans and many organisations did not perhaps have a global pandemic on their list of possibilities until 2020, and if they did, they may have found that their plans did not meet all the requirements that navigating Covid demanded. Royal Armouries Leeds experienced a two-month outage of IT systems after being targeted by a cyber attack, and as Covid had moved many processes into the digital world, so they had to step back and consider how they could continue working without the IT systems being available.  Although cyber attacks may be part of an organisation’s plans, those plans are probably high level rather than detailed in terms of how each role in the organistaion can function after more than a short period without the IT network. Also, few individuals have probably thought through what they would need in the event of a cyber attack, or how it would affect their day to day working over a number of weeks, not just for a few hours.

As registrars we spend the majority of our time managing risk and planning for different scenarios, but this planning often relies on central IT systems being available. What was apparent in the presentation was just how much we rely on those systems being available and the interconnectivity of our IT systems. More obviously, we rely on internal digital networks to access emails, collections information systems and files, but often our phone systems, payroll, finance systems, environmental monitoring, CCTV and security alarms are all connected through internal digital systems.

Cyber attacks do not arrive conveniently at the end of a project, they will commence whilst loans are being transported, while couriers are travelling, during installations or acquisition negotiations. How do you communicate with lenders and donors, how do you reassure them that information and security has not been compromised when in fact you may not know the extent of the issues. The Armouries had to initially depend on staff using their own digital devices and setting up new email addresses for the most pressing communications and actions. This can reveal digital poverty amongst staff. A reliance on staff’s own digital assets in terms of phones, laptops and Wi-Fi isn’t foolproof, staff may not have the digital assets or they may be sharing these with family members for school or work, and this may also present security issues. Organisations should invest in equipment to mitigate this risk.

The importance of retaining hard copies of key documents was highlighted by the attack, which is particularly important as Covid and sustainability has reduced the use of hard copies. An assessment of what key documents need to available in a non-digital format is key.

Regular and honest communications with external stakeholders was also key to make sure work could progress and that trust and relationships were maintained during the two month period. It was not possible to ascertain what information the attackers managed to steal from the IT systems, or how that information could be used maliciously, so it was also important to scope what they could have accessed and plan accordingly.

The main takeaway from this session was that testing and reviewing your plans is vital. And make sure your plans are not just for short term but long term scenarios – months not hours. Training all staff for cyber attack scenarios is time well spent. Digital information may not be recoverable, have hard copies of key information. Involve everyone in your planning. Stay calm and don’t panic – but be prepared!

Lyn Stevens


National Museums Scotland