Date: 25 June 2026

When organisations discuss major cyber incidents, attention often focuses on the attack itself. Questions typically centre on how attackers gained access, what malware was used, and how much data was compromised. The cyber attack against Comhairle nan Eilean Siar (Western Isles Council) tells a different story.

The most important lesson from this incident is not the intrusion. It is the recovery.

 Nearly two years after the ransomware attack was first detected, key systems remained only partially restored, recovery costs had reached approximately £500,000, and multiple post-incident recommendations were still awaiting implementation. The incident has become one of the most significant cyber resilience case studies for UK local government. 

What Happened?

On 7 November 2023, Western Isles Council detected a ransomware attack and reported the incident to Police Scotland. Public confirmation followed within days as the council began assessing the scale of the disruption.

The attack restricted access to council servers and core systems, resulting in a near-total loss of use of data held on file share servers. Critical council operations were significantly disrupted, particularly within finance functions. Council Tax and Non-Domestic Rates billing were among the services affected. While the specific attack vector has not been publicly disclosed, attackers reportedly gained unauthorised access to council systems before deploying malware that encrypted data and disabled access.

Immediate Response

Following detection, the council moved quickly to contain the incident. Affected systems were taken offline, and support was sought from Police Scotland, the National Cyber Security Centre (NCSC), the Scottish Government and external technology partners. Staff developed manual workarounds to maintain essential services, while cloud-based email systems enabled continued external communication. Front-line services and payments to staff and suppliers were prioritised throughout the recovery effort. 

The response itself was widely recognised as effective given the circumstances. However, as subsequent reviews revealed, effective incident response alone does not guarantee effective recovery.

The Recovery Challenge

What makes this incident particularly noteworthy is the length of time required to recover. According to Audit Scotland’s independent review, critical systems supporting housing benefits, council tax and non-domestic rates remained not fully restored almost two years after the attack. Recovery costs were estimated at around £500,000, with the full financial impact still emerging. 

This raises an uncomfortable but increasingly important question: How prepared is your organisation for a recovery effort measured in years rather than weeks?

Many organisations invest heavily in prevention technologies but devote far less attention to long-term recovery planning. The Western Isles incident demonstrates that resilience depends on much more than preventing initial compromise.

Governance and Preparedness Gaps

Post-incident reviews highlighted several issues that existed before the attack occurred. At the time of the incident, five of the council’s seventeen IT positions were vacant, including a senior systems analyst role. Reports also suggested that wider staff cybersecurity awareness training had lapsed.

More significantly, the Accounts Commission found that known weaknesses had already been identified before the attack but had not been fully addressed. This is a challenge many organisations face.

Security assessments, audits and risk reviews often identify vulnerabilities and control gaps. Yet competing priorities, budget constraints and resource limitations can delay remediation efforts. The problem is that cyber criminals rarely wait for organisations to catch up.

Recovery Is Not the Same as Resilience

One of the most valuable lessons from this incident is the distinction between recovery and resilience. Recovery focuses on restoring systems after an incident. Resilience focuses on maintaining operations despite disruption and improving organisational capability over time. The council’s own internal Cyber Attack Response report issued ten recommendations in October 2024. By September 2025, only five had been fully implemented.

This highlights a challenge frequently overlooked after major incidents. Once systems begin returning to normal, improvement initiatives can lose momentum. True resilience requires sustained investment, governance oversight and executive commitment long after media attention fades.

The Human Impact of Cyber Incidents

Technology was not the only casualty.

Staff were required to develop manual workarounds while continuing their normal responsibilities. This created significant additional workload and pressure over an extended period. The incident serves as a reminder that cyber crises are people crises as much as technology crises.

Organisations should ensure incident response and business continuity plans account for workforce wellbeing, resource allocation, internal communications and decision-making during prolonged recovery periods.

Key Lessons for Organisations

The Western Isles Council cyber attack provides several important lessons for organisations across all sectors:

• Test incident response and business continuity plans regularly.
• Validate backup integrity and restoration capabilities.
• Address known security weaknesses before attackers exploit them.
• Ensure adequate staffing and cyber governance structures.
• Include workforce resilience in recovery planning.
• Treat post-incident improvement as a long-term programme.
• Prepare boards and executives for prolonged recovery scenarios.

Perhaps most importantly, organisations should stop measuring resilience solely by their ability to prevent attacks. As the Accounts Commission noted, it is increasingly a question of when, not if, a cyber incident occurs. The organisations that recover most effectively will be those that have planned, tested and exercised their recovery capabilities long before an attack takes place.

The Western Isles Council incident demonstrates a reality every board and CISO should understand: The attack may last days. The recovery may last years. Download our CMA Cyber Insights Document on the Western Isles Ransomware Attack for more details on the attack and the lessons it contains.  

How CM-Alliance Helps Organisations Avoid Similar Outcomes

The Western Isles Council incident demonstrates that organisations don’t fail because a ransomware attack occurs. They struggle because they are unprepared for everything that comes afterwards. At CM-Alliance, we help organisations build resilience long before an incident happens. Our services are designed to test plans, strengthen decision-making and improve recovery capabilities, so organisations can continue operating even under significant pressure.

We can help your organisation:

• Develop practical incident response plans that clearly define roles, responsibilities and escalation procedures.
• Create cyber incident response playbooks for ransomware, data breaches and other high-impact cyber scenarios.
• Run realistic cyber tabletop exercises that allow technical teams, executives and boards to practise responding to cyber crises in a controlled environment.
• Deliver NCSC-Assured Cyber Incident Planning & Response (CIPR) training to equip incident response teams with the knowledge and confidence to manage real-world cyber incidents.
• Prepare senior leadership for crisis decision-making, regulatory scrutiny and media pressure through executive cyber crisis exercises.
• Review business continuity and disaster recovery arrangements to ensure critical services can continue during prolonged disruption.
• Validate backup and recovery strategies to confirm systems can be restored quickly when they are needed most.

The biggest lesson from the Western Isles incident is that recovery should never be improvised. Organisations that invest in planning, training and regular exercising are far better placed to minimise disruption, recover faster and emerge stronger after a cyber incident.