Two years ago the local authority for the Outer Hebrides suffered a cyber incursion that impacted delivery of frontline services and resulted in costs of hundreds of thousands of pounds
A report into a cyberattack on a Scottish council has found that the organisation had not properly prepared for such an event.
A new report from Scotland’s accounts commission finds that, while Comhairle nan Eilean Siar – also referred to as Western Isles Council – did take swift action to protect its systems following a ransomware assault in 2023, it had not adequately prepared for a potential attack.
The review found that the impact of the attack was immediate, crippling the council’s ability to function and resulting in the near total loss of the data held on the council’s file share servers. The attack was identified as a sophisticated ransomware attack where attackers had installed malware onto the council’s system that encrypted and removed access to the council’s systems and data. The report does note that the council “escalated the issue appropriately” when it was discovered, meeting regularly and ensuring that a temporary website was available for constituents.
As a result of the attack, various services were affected, leaving users unable to access critical services like paying council tax. The report said the impact of the disruption is still being felt, as some services like housing benefit are still recovering and dealing with significant backlogs.
“Both the auditor and the independent reviews commissioned have identified that the organisation had gaps in their cybersecurity, business continuity and disaster recovery arrangements in place,” said the report. “It is not possible to conclude whether a more robust control environment would have prevented the cyberattack however, stronger controls may have helped to reduce its impact or improve the speed of detection and response.”
The Accounts Commission said that, despite an internal audit recommending 10 steps to increase the council’s cybersecurity after the attack, only five of those recommendations have been fully implemented.
Related content
- Services at inner London councils hit by cyber incident
- Cyberattacks cost UK firms £200k, government study finds
- Legacy IT warning as UK hit with twice as many ‘nationally significant’ cyberattacks in past year
The report further highlighted that specific policies around staff training, testing of cyber-resilience plans and the full compliance of the council with the National Cyber Security Centre’s cybersecurity principles were still outstanding.
The attack is estimated to have cost the council over £950,000 in direct costs, with £300,000 of this occurring on a regular basis as the council focuses its efforts on rebuilding systems.
“We urge all councils to prioritise preparation and testing of plans – this and other recent high-profile cases have shown that nobody is immune, but everyone can be prepared so disruption is minimised,” said the report. “Nobody reading this report should think that, because their IT setup differs from that of nan Eilean Siar, ‘it couldn’t happen to us’”.
Jo Armstrong, chair of the Accounts Commission, added: “This cyberattack shows how exposed local government is, and the urgent need to test resilience and recovery arrangements. Councils need to assume that it’s a case of when, not if, they are attacked. A collective approach is needed to prepare councils for an increasingly digital future – they must collaborate, learn from each other and work closely with partners, including the Scottish Government.”
Malcolm Burr, chief executive of the council, said: “Comhairle nan Eilean Siar will review the findings of this report in detail and use the Commission’s recommendations to inform our ongoing work to improve cyber-security resilience and our business continuity protocols, which we are pleased to see the report recognise was a key part of our corporate response. The report rightly recognises the significant risk of cyber-attacks. To allow local authorities to improve cyber security resilience and disaster recovery preparedness it is important that funding for local authorities keeps pace with necessary measures to combat malicious technology and techniques.”
A version of this story originally appeared on PublicTechnology sister publication Holyrood
