The British Library's £7 Million MFA Decision

This episode is brought to you by Authentrend, providing biometric FIDO2 security solutions that make MFA actually work for small businesses. Check them out at authentrend.com/smallbizcyberguy

Let me tell you about one of the most expensive efficiency decisions in UK public sector history. And why your business is probably about to make a similar mistake.

The Decision

October 2023. The British Library, one of the world's largest libraries and the UK's national library, experienced what the ICO later described as an attack that "escalated because of the lack of multi-factor authentication on an administrator account."

Let's be very clear about what happened here.

The British Library had considered implementing MFA on its on-premise servers. This wasn't ignorance. This wasn't a lack of awareness. They knew MFA was necessary.

According to their own cyber incident review published in March 2024, they made a conscious decision not to implement it "for reasons of practicality, cost and impact on ongoing Library programmes."

Translation: They knew they should do it. They decided not to because it would be inconvenient and expensive.

That decision cost them £7 million.

The Numbers

Let's talk specific costs, because this is where the doorman fallacy becomes brutally clear.

MFA implementation for their on-premise server infrastructure: Estimated £30,000-50,000 for initial setup and integration. Perhaps £10,000 annually for ongoing maintenance and support. Training costs for staff: Maybe £5,000. Total first-year cost: £50,000 maximum.

Cost of not implementing MFA:

£6-7 million in recovery costs (40% of their entire financial reserves). 600GB of staff and user data was exfiltrated and dumped on the dark web. Services have been disrupted for over a year. The main catalogue will be unavailable from October 2023 to January 2024. Digital services will still be partially unavailable throughout 2024. Reputational damage to one of the UK's most respected cultural institutions. Impact on 20,000+ authors awaiting Payment Lending Rights payments. Disruption to thousands of researchers and academics. ICO investigation and public scrutiny.

They saved £50,000. It cost them £7 million.

That's a 140:1 cost ratio. For every pound "saved" by not implementing MFA, they spent £140 recovering from the breach that lack of MFA enabled.

The Attack

The Rhysida ransomware gang gained initial access through what the Library believes was a combination of phishing, spear-phishing, or brute-force attacks facilitated by compromised third-party credentials.

Without MFA on administrator accounts, once the attackers had credentials (stolen, phished, or brute-forced), they had full access.

They didn't need to bypass elaborate security controls. They just needed a password.

The attackers then encrypted data and systems, destroyed servers to hamper recovery, deleted logs to cover their tracks, and exfiltrated 600GB of files before demanding 20 Bitcoin (approximately £596,000 at the time) for restoration.

When the Library refused to pay, Rhysida published the data on the dark web.

The Pattern

This isn't unique to the British Library.

According to the 2025 Cyber Security Breaches Survey, 85% of businesses that experienced breaches cited phishing as the attack vector. Phishing leads to credential theft. Credentials without MFA protection become ransomware welcome mats.

The British Library's case is simply the most documented, most public, and most expensive example of a pattern that's playing out across UK businesses daily.

Organisations decide MFA is too inconvenient, too expensive, or too disruptive. Then they pay vastly more when that decision backfires.

The Justifications

Let's examine the British Library's stated reasons for not implementing MFA, because they're identical to justifications I hear from businesses regularly.

"Practicality"

MFA adds 15-30 seconds to login times. For administrator accounts accessed maybe 20 times daily, that's 5-10 minutes of "lost productivity" per day.

Over a year, maybe 40 hours of cumulative login time across all administrators.

The "practical" decision saved 40 hours and cost 40% of their financial reserves.

How practical does that sound now?

"Cost"

MFA solutions for on-premise infrastructure aren't free. Hardware tokens, software licences, integration work, testing, training. Call it £50,000 to do appropriately.

That's real money for any organisation.

But it's 0.7% of the £7 million they subsequently spent on recovery.

Which cost was actually more expensive?

"Impact on ongoing programmes"

MFA implementation would have disrupted projects. Required coordination across teams. Delayed other initiatives.

Fair enough. Change management is complex in large organisations.

But ransomware recovery disrupted every programme for over a year.

Which had more impact on ongoing operations?

The Institutional Mindset

Here's what interests me most about this case: The British Library isn't a struggling SME making desperate cost cuts to survive. They're a well-funded, highly-regarded national institution with security-conscious staff and access to NCSC guidance.

If they can fall into the doorman fallacy trap, any organisation can.

The trap isn't ignorance. It's the systematic bias toward visible costs over invisible risks.

MFA implementation is a visible cost. Budget line items. Project timelines. Staff disruption. These things are measurable, immediate, and politically difficult.

Ransomware risk is invisible until it materialises. Statistically probable but individually uncertain. Future-focused rather than present-focused. Easy to justify delaying because "we haven't been breached yet."

This cognitive bias applies identically whether you're the British Library or a 15-person SME in Birmingham.

The NCSC Guidance

The National Cyber Security Centre has been crystal clear on MFA for years.

Their guidance on protecting your organisation from ransomware explicitly states: "Use multi-factor authentication (MFA) to reduce the impact of password compromises."

Their Cyber Essentials scheme, which serves as the baseline for UK government cybersecurity requirements, has mandated MFA for administrator accounts since 2021.

The guidance was clear. The requirements were known. The Library chose not to follow them.

And before you say "but government requirements don't apply to us," remember: the attack vectors don't care about your sector. Rhysida targets schools, hospitals, government agencies, and businesses identically.

The techniques that breached the British Library work identically on your infrastructure.

The Broader Implications

The 2025 Cyber Security Breaches Survey shows that only 40% of UK businesses use two-factor authentication. That means 60% are vulnerable to the same attack vector that cost the British Library £7 million.

Ransomware attacks doubled from under 0.5% of businesses in 2024 to 1% in 2025. That's 100% growth in prevalence.

Average breach costs are £1,600 per business, rising to £3,550 when you exclude zero-cost responses. But cyber-facilitated fraud (where breaches enable fraudulent activity) averages £5,900, increasing to £10,000 excluding zeros.

Translation: The British Library isn't an outlier. They're a preview.

They're what happens when common vulnerabilities (no MFA) meet common threats (credential-focused ransomware) in an environment of systematic under-investment in security.

The only unusual thing about their case is the public documentation and transparency. Most businesses experiencing similar incidents quietly pay ransoms, settle ICO investigations, and never publish incident reviews.

What This Means For You

If you're reading this thinking "we're considering making MFA optional for internal systems to reduce friction," stop.

If you're reading this thinking, "MFA implementation is too expensive for our budget," calculate what ransomware recovery would cost.

If you're reading this thinking "we'll implement MFA next financial year," understand that attackers don't wait for your budget cycles.

The British Library thought they could defer the MFA for practical reasons. It cost them £7 million and over a year of disruption.

Your business won't fare better with identical vulnerabilities facing identical threats.

The Uncomfortable Questions

Every organisation should ask itself:

Do we have MFA on all administrator accounts? (If no: why not? What's the cost of being wrong?) Do we have MFA on remote access? (If no: what's stopping us?) Do we have MFA on privileged accounts? (If no: have we calculated the downside risk?) Do we have MFA on cloud applications? (If no: what happens when credentials leak?)

If your answer to any of these is "no" or "we're planning to," you're vulnerable to the exact attack that cost the British Library £7 million.

The Efficiency Theatre

This is what Noel calls "efficiency theatre."

Organisations make visible cost cuts that feel like good management, whilst ignoring invisible risks that feel like paranoia.

MFA feels like overhead. Ransomware recovery is overhead.

The difference: MFA is an optional overhead you choose to prevent problems. Ransomware recovery is a mandatory overhead imposed by attackers.

You're going to pay overhead either way. The only question is whether you pay £50,000 for prevention or £7 million for recovery.

The Policy Implications

From a policy perspective, the British Library case demonstrates why voluntary security guidance isn't sufficient.

Organisations know what they should do. They have access to NCSC guidance, ICO requirements, and industry best practices. They still choose not to implement basic controls for reasons of "practicality, cost and impact."

Then they pay vastly more when those decisions backfire.

This suggests either stronger enforcement of existing requirements or acceptance that voluntary compliance leads to systematic under-investment followed by expensive breaches.

I spent years in government developing guidance that organisations then ignore. The British Library had every resource, every document, every advisory available. They still made the wrong decision.

What does that tell you about the effectiveness of voluntary guidance?

The Learning Opportunity

Credit where due: The British Library published a comprehensive incident review documenting exactly what happened and why.

That transparency is valuable. Most organisations bury their failures. The Library chose to share lessons publicly so others might learn without paying the exact cost.

The question is: Will anyone actually learn?

Or will we continue to see organisations make identical decisions with identical justifications, experiencing identical breaches, and paying identical recovery costs?

Given that current statistics show 60% of businesses still don't use MFA, I'm not optimistic.

Final Thoughts

The British Library's experience isn't a cautionary tale about sophisticated attack techniques or zero-day vulnerabilities.

It's a cautionary tale about basic decisions with catastrophic consequences.

They knew they should implement MFA. They decided it was too expensive and disruptive. That decision cost them 140 times what MFA would have cost.

This is the doorman fallacy at its clearest: defining MFA's function narrowly (adding login steps), missing its actual value (preventing credential-based attacks), cutting it to save money, then paying vastly more when the invisible value becomes glaringly obvious.

Your business faces identical decisions.

MFA or convenience? Security investment or budget savings? Prevention costs or recovery costs?

The British Library chose convenience, savings, and deferral. It cost them £7 million and over a year of disruption.

Choose differently.

Implement MFA on all administrator accounts. Implement MFA on remote access. Implement MFA on privileged accounts. Implement MFA on cloud applications.

Not because NCSC guidance says so. Not because Cyber Essentials requires it. Not because the ICO expects it.

Because the alternative costs 140 times more.

The British Library learned this lesson. Don't learn it the same way they did.

Mauven MacLeod is co-host of The Small Business Cybersecurity Guy podcast and a former Government Cyber Analyst. She specialises in translating government security guidance into practical implementation for UK businesses.