Navigating cyber risks: How local authorities can build resilience against emerging threats

Why cybersecurity matters for local authorities

Local authorities manage critical services - from housing and social care to education and public safety. A successful cyber-attack can disrupt these services, compromise citizen data and erode public trust. With the Cyber Security and Resilience Bill (2025) introducing stricter requirements for incident reporting and resilience planning, now is the time to strengthen your cyber posture.

What are the key cyber risks facing local authorities?

1. Third-party vulnerabilities

Many councils rely on shared IT services or external suppliers. A breach in one area can quickly escalate, disrupting services across multiple authorities. Therefore, supply chain security is no longer optional, but it’s essential.

2. Ransomware and phishing attacks

Local authorities are prime targets for ransomware and phishing campaigns. These attacks can lead to service outages, data breaches, and significant financial losses.

3. Regulatory compliance

The Cyber Security and Resilience Bill (2025) requires councils to demonstrate resilience and report incidents promptly. Whilst the Bill is still progressing, aligning with its principles now will help future-proof your organisation.

4. Legacy infrastructure

Outdated systems are often harder to patch, lack modern security controls, and can serve as easy entry points for attackers. Many local authorities still rely on older technology that may no longer be supported by vendors, increasing exposure to exploits. While cloud adoption grows, many critical services and data still reside on-premises. These assets require rigorous protection, as they are frequently targeted in ransomware and phishing attacks. Poorly secured on-premises systems can become a single point of failure.

Best practices to mitigate risks

To protect your local authority, we have outlined best practice to bear in mind to reduce risk and disruption from cyber threats.

Cyber readiness: What good looks like (and what it doesn’t)

Whilst cyber attacks cannot always be prevented, they can be anticipated, detected early and managed effectively. True cyber resilience is the ability to continue delivering critical services during an attack.

1. Defining ‘minimum viable business’

Local authorities cannot protect everything equally. Leaders must identify:

• Their critical services
• Essential data
• Systems that must remain operational during a crisis

2. Exercising incident response

Paper-based assurances often give a false sense of security. What local authorities need are:

• Realistic simulations
• Clearly defined roles and responsibilities
• Simple, actionable playbooks for the first 24–72 hours
• Regular joint exercises with partners, including third parties

3. Communicating effectively

Incident response isn’t only technical, it’s also communicative:

• Early notification of regulators (including the ICO)
• Clear internal communication
• Prioritisation of vulnerable service users

4. Treating cyber as a business risk, not an IT problem

Boards and executives must understand their responsibilities, risk appetite and decision pathways.

Boards benefit from board champions - members who deepen their operational understanding of cyber resilience and bring insights back for effective oversight.

Final thoughts

Cybersecurity is not just an IT issue; it’s a core component of service delivery and public trust. By taking these proactive steps, local authorities will build resilience, protect citizens, and ensure continuity of essential services.