Councils warned they are not ‘immune’ to cyber attack and urged to prepare

Councils have been warned of the “urgent need” to be prepared following an investigation into a “significant” cyber attack on Western Isles Council.

The Accounts Commission said councils should assume it is a case of “when, not if” they are attacked and that a collective approach is needed to prepare for the future.

A report into the November 2023 cyber attack on Western Isles Council found that it caused immediate, severe and prolonged disruption, with the impact most significant for the council’s finance team.

Numerous systems and back-ups were encrypted during the incident which left them inaccessible, including critical financial systems such as the general ledger and associated accounting records.

The report found that the council took swift action to protect systems and prioritise front-line services and payments to staff and suppliers.

However, it found that the impact of the attack might have been reduced if previously identified weaknesses in IT infrastructure, governance, preparedness and staff capacity had been addressed sooner.

The Accounts Commission is urging other local authorities to learn lessons from the Western Isles incident.

A number of councils including Glasgow, West Lothian and Edinburgh have been targeted by such attacks in recent years.

Jo Armstrong, chairwoman of the Accounts Commission, said: “This cyber attack shows how exposed local government is, and the urgent need to test resilience and recovery arrangements.

“Councils need to assume that it’s a case of when, not if, they are attacked. A collective approach is needed to prepare councils for an increasingly digital future – they must collaborate, learn from each other and work closely with partners, including the Scottish Government.

“Comhairle nan Eilean Siar staff went above and beyond to mitigate the impacts on service users, suppliers and the local community.

“This increased pressure on staff as they took on additional work, alongside dealing with day-to-day responsibilities.

“We want the council to take action to improve how they communicate and support staff during significant events that could increase workload and stress.”

The report found that recovery from the cyber attack on Western Isles Council has taken “substantial” resources to implement and placed “considerable pressure on staff over a sustained period”.

The report noted that the council has has reported that the direct costs of the cyber attack are approximately £950,000, with £300,000 of this being on a recurring basis as it focuses on “building back better”.

Almost two years on from the attack, there are still some systems which have not yet been fully rebuilt.

The extent of the data loss meant that completing the 2023/24 annual accounts in line with the June 30 2024 deadline was not possible for the council.

The unaudited accounts were published in January 2025 and were based on recovered information from a variety of sources.

The Accounts Commission said that the council must urgently carry out thorough and routine testing of its new response, recovery and business continuity plans.

It also urged other local authorities to be prepared.

The report stated: “We urge all councils to prioritise preparation and testing of plans – this and other recent high-profile cases have shown that nobody is immune, but everyone can be prepared so disruption is minimised.

“This is especially important for councils, whose staff provide services to many of the most vulnerable within our communities.”

Malcolm Burr, chief executive of Comhairle nan Eilean Siar (Western Isles Council), said: “Comhairle nan Eilean Siar welcomes the publication of the Accounts Commission’s report.

“The report illustrates the scale of the cyber attack’s impact and commends the excellent response of Comhairle nan Eilean Siar employees in continuing the operation of Comhairle services.

“Comhairle nan Eilean Siar will review the findings of this report in detail and use the commission’s recommendations to inform our ongoing work to improve cyber-security resilience and our business continuity protocols, which we are pleased to see the report recognise was a key part of our corporate response.

“The report rightly recognises the significant risk of cyber attacks. To allow local authorities to improve cyber security resilience and disaster recovery preparedness it is important that funding for local authorities keeps pace with necessary measures to combat malicious technology and techniques.”

Martyn Wallace, chief digital officer, Digital Office for Scottish Local Government at Cosla, said: “The recent Audit Scotland report is a stark reminder that cyber attacks are not a question of ‘if’ but ‘when’. Since that incident, the Digital Office, Scottish local authorities, and the Scottish Local Authority Information Security Group (SLAISG) have worked closely with key partners including the Scottish Government, NCSC and the Cyber Scotland Partnership to strengthen resilience.

“Through our sector-wide Chief Information Security Officer, the Digital Office has delivered cyber incident exercises across councils and developed standardised policies and guidance.

“We’ve also invested in skills and awareness programmes, supported secure technology adoption, and promoted shared services to reduce risk and cost.

“These actions reflect our commitment to collaboration and continuous improvement, ensuring councils are better prepared to protect vital services and communities in an increasingly digital world.”

A Scottish Government spokesperson said: “We welcome the Accounts Commission report and echo their advice that all public bodies should put in place robust processes to plan for and respond to cyber incidents.

“The Scottish Government and its Scottish Cyber Coordination Centre work closely with all public bodies, including councils, to share intelligence and support incident response planning.”