iStockCouncils have been warned of the “urgent need” to be prepared following an investigation into a “significant” cyber attack on Western Isles Council.
The Accounts Commission said councils should assume it is a case of “when, not if” they are attacked and that a collective approach is needed to prepare for the future.
A report into the November 2023 cyber attack on Western Isles Council found that it caused immediate, severe and prolonged disruption, with the impact most significant for the council’s finance team.
Numerous systems and back-ups were encrypted during the incident which left them inaccessible, including critical financial systems such as the general ledger and associated accounting records.
The report found that the council took swift action to protect systems and prioritise front-line services and payments to staff and suppliers.
However, it found that the impact of the attack might have been reduced if previously identified weaknesses in IT infrastructure, governance, preparedness and staff capacity had been addressed sooner.
The Accounts Commission is urging other local authorities to learn lessons from the Western Isles incident.
A number of councils including Glasgow, West Lothian and Edinburgh have been targeted by such attacks in recent years.
Jo Armstrong, chair of the Accounts Commission, said: “This cyber attack shows how exposed local government is, and the urgent need to test resilience and recovery arrangements.
“Councils need to assume that it’s a case of when, not if, they are attacked. A collective approach is needed to prepare councils for an increasingly digital future – they must collaborate, learn from each other and work closely with partners, including the Scottish Government.
“Comhairle nan Eilean Siar staff went above and beyond to mitigate the impacts on service users, suppliers and the local community.
“This increased pressure on staff as they took on additional work, alongside dealing with day-to-day responsibilities.
“We want the council to take action to improve how they communicate and support staff during significant events that could increase workload and stress.”
The report found that recovery from the cyber attack on Western Isles Council has taken “substantial” resources to implement and placed “considerable pressure on staff over a sustained period”.
The report noted that the council has has reported that the direct costs of the cyber attack are approximately £950,000, with £300,000 of this being on a recurring basis as it focuses on “building back better”.
Almost two years on from the attack, there are still some systems which have not yet been fully rebuilt.
The extent of the data loss meant that completing the 2023/24 annual accounts in line with the June 30 2024 deadline was not possible for the council.
The unaudited accounts were published in January 2025 and were based on recovered information from a variety of sources.
The Accounts Commission said that the council must urgently carry out thorough and routine testing of its new response, recovery and business continuity plans.
It also urged other local authorities to be prepared.
The report stated: “We urge all councils to prioritise preparation and testing of plans – this and other recent high-profile cases have shown that nobody is immune, but everyone can be prepared so disruption is minimised.
“This is especially important for councils, whose staff provide services to many of the most vulnerable within our communities.”
Western Isles Council, Cosla and the Scottish Government have been asked for comment.
Follow STV News on WhatsApp
Scan the QR code on your mobile device for all the latest news from around the country
