For councils, cyber resilience is no longer optional. Quick recovery, robust backups, and proactive planning safeguard critical services, sensitive data, and public confidence in an increasingly hostile cyber landscape, says Jacob Anderson, regional vice president, Rubrik UK.
In recent years, there has been a significant increase in cyber attacks aimed at UK public sector organisations. These cyber incidents have caused substantial negative impacts. Councils are high-value targets due to the volume of personal data they hold, and the critical services they deliver.
Earlier this year, Gateshead Council suffered an attack by the Medusa ransomware group that saw stolen documents, including sensitive personal data, published online. Meanwhile, Hackney Council continues to contend with the long-term financial and operational consequences of its 2020 breach, highlighting how enduring the effects of such incidents can be. Compliance alone is insufficient
Given the risk to the UK public sector’s cyber security, a purely compliance-driven approach is inadequate against today’s adversaries. While regulatory alignment is important, it does not provide the agility needed to deter sophisticated, persistent attackers.
Strengthening cyber resilience is essential to stop groups including the Holy League, a coalition of pro-Russian and pro-Palestinian hacktivists, that earlier this year targeted the British Army, Royal Navy and the Office for Nuclear Security. Councils that contain breaches and recover quickly protect both services and the people who rely on them. Resilience begins with recovery
Adversaries exploit gaps in technology, processes, regulation and skills. They require only a single successful intrusion, whereas defenders must repel every attempt. The imbalance makes the prospect of complete prevention unrealistic. Traditional perimeter-focused defence strategies have their place, but they are no longer sufficient on their own.
Critical infrastructure operators must instead adopt a recovery-first mindset: anticipating breaches, planning for rapid restoration of services and ensuring continuity even in the face of compromise. The goal is not to prevent 100% of attacks but to withstand them and return to normal operations quickly and securely.
The implications of a ransomware payment ban
The UK government’s proposal to prohibit ransomware payments by public sector organisations raises the stakes considerably. If the proposal comes into effect, councils, NHS trusts and schools will no longer be able to pay ransoms as a last resort to regain access to systems. The intention is to disrupt the financial model that underpins cybercrime. However, this shift places even greater responsibility on public bodies to ensure they can detect, contain and recover without delay.
Immutable backups, rapid recovery mechanisms and continuous monitoring are now indispensable. Without these, public services risk prolonged outages that could undermine public confidence, particularly when highly sensitive information is compromised.
Automation, immutable backups and rapid recovery
Automation provides one of the most effective means of strengthening cyber resilience. By accelerating threat detection and incident response, automation helps security teams act decisively in the early stages of an attack. Automated testing of backup environments and continuous monitoring further enhance resilience, reducing the time and cost associated with recovery.
Immutable backups are equally critical. Once stored, data cannot be modified or deleted, even if attackers gain administrative access. This ensures that the last uncompromised copy remains available for recovery, significantly limiting the leverage ransomware groups can exert. Advanced detection tools, including machine learning, can identify suspicious patterns in backup environments and raise alerts before an incident escalates. Together, these measures minimise downtime, protect critical data and preserve operational continuity.
Government support for local authorities
The Ministry of Housing, Communities and Local Government’s Local Digital team has taken steps to strengthen resilience across councils. The Cyber Support Programme allocated £19.9m to 192 authorities, while the Cyber Assessment Framework (CAF), launched in October 2024, provides a structured approach to assessing and improving resilience. The impact is already visible: between 2020 and February 2025, councils achieved an 83% reduction in initial risk, an 82% improvement in backup resilience and annual sector-wide savings estimated at £11m.
Nonetheless, significant challenges persist. Developing a positive cyber culture across local government is difficult, with organisational engagement inconsistent and training often underfunded. Financial pressures are also acute, with local authorities burdened by £122bn in debt. This makes it harder to procure affordable out-of-hours cyber expertise, leaving monitoring and logging functions under-resourced. Many councils are forced to manage these capabilities in-house, slowing response times and undermining resilience.
Resilience underpins essential services
Cyber resilience not only strengthens the ability of organisations to withstand and recover from attacks, but it also serves as a deterrent. Adversaries are less likely to target entities they know can recover quickly, as the likelihood of success diminishes. For UK councils and other public sector organisations, resilience is more than a defensive measure, it is central to protecting communities. True cyber resilience will preserve the reliability of essential services and maintain public trust in an increasingly hostile cyber environment.
