It’s time of year for budget-setting by local government (and the police). As the Labour leader of the west London borough of Hammersmith and Fulham (LBHF) Stephen Cowan put it recently; ‘we’re a cash-strapped austerity council’. Where does that leave cyber security? Mark Rowe asks.
All UK local authorities are ‘confronted with an unprecedented level of cyber risk’, a report to Durham County Council’s Reform Party cabinet stated before its January 21 meeting.
High-profile incidents involving the public sector include (as the report went on) Redcar and Cleveland, St Helens councils and more recently three London boroughs. It’s resulted in ‘considerable disruption to council services, substantial remediation costs, and reputational harm’. To leave that report for a minute, the fact that some councils share services (in the name of economy) can mean that cyber ‘incidents’ are more widespread; Westminster City Council, too, well after the ‘incident’ was reporting ‘technical issues’.
Further reading
One of the more succinct studies of the experience of a cyber attack against local government was by the Local Government Association (LGA) about Gloucester City Council, whose attack in December 2021 led to it building ‘a completely new’ IT system. In a foreword, Gloucester MD Jon McGinty warned that ‘we had invested millions in cyber security, systems, training and exercises. However, no matter the preparations and mitigations you have in place it could happen to you’.
To return to the Durham report: central government and the UK official National Cyber Security Centre (NCSC) have advised public bodies to prepare for cyber attacks as an ‘inevitability’. The Durham report went on: “The council is taking steps to reduce risk and improve readiness, including recently securing cyber insurance through competitive process. While insurance cannot prevent an attack, it would support and assist cover recovery costs, reducing financial impact, and provide additional recovery capacity. For instance, Redcar and Cleveland Borough Council’s cyber-attack reportedly led to £11.3m in expenses, with only £3.66m covered by central government; uninsured, they had to draw on their reserves for the remainder.”
Transition to cloud
Durham council continues to progress its ‘strategic shift’ from on-premises hosting to cloud-based provision of applications. Historically, the council’s IT services have relied on on-premises IT servers. As the report puts it: “Over the past decade, the IT industry has shifted towards cloud-based solutions, offering enhanced scalability, flexibility, and resilience. While several council systems have already transitioned to cloud services, many critical organisational applications remain hosted on-premises. This situation presents both challenges and opportunities as the council navigates its digital transformation.”
And AI
As for AI, councils are using artificial intelligence; whether to support road maintenance, AI chatbots to help residents with parking and penalty charge queries, that don’t necessarily need a (more expensive) human to answer; and AI-enabled CCTV cameras to combat fly-tipping.
According to the report, Durham council is ‘at an early stage in its digital transformation journey’. There is enthusiasm and willingness among staff to grasp new technologies with positive examples of innovation, such as the early use of AI tools like Magic Notes in adult social care and the use of Copilot in meetings; however, these developments remain isolated rather than organisation-wide, and investment has been ‘limited’. The report admits Durham has ‘a fragmented approach’ to the management and use of technology across the council, as departments and services deploy their own systems. “This fosters siloed working and runs counter to the one organisation ethos, while also posing a significant cyber security risk,” the report adds. As the cyber industry can add, workers (in the private sector too) are – in an echo of ‘bring your own device’ of a dozen years before – using AI on their own initiative, and cyber professionals may not know what data is going into large language models.
Action plan
As background, as the report noted, the NCSC Annual Review 2024 highlights that the UK’s collective capacity to defend against cyber-attacks – and to maintain operational resilience when breaches occur – has not kept pace with the evolving threat landscape. And as featured in the February 2026 edition of Professional Security Magazine, the Department for Science, Innovation and Technology (DSIT) published a ‘Government Cyber Action Plan’. Among the proposals was a ‘Government Cyber Unit’, which, the document admitted, would have to prioritise.
