When organisations discuss major cyber incidents, attention often focuses on the attack itself. Questions typically centre on how attackers gained access, what malware was used, and how much data was compromised. The cyber attack against Comhairle nan Eilean Siar (Western Isles Council) tells a different story.
The most important lesson from this incident is not the intrusion. It is the recovery.
Nearly two years after the ransomware attack was first detected, key systems remained only partially restored, recovery costs had reached approximately £500,000, and multiple post-incident recommendations were still awaiting implementation. The incident has become one of the most significant cyber resilience case studies for UK local government.
On 7 November 2023, Western Isles Council detected a ransomware attack and reported the incident to Police Scotland. Public confirmation followed within days as the council began assessing the scale of the disruption.
The attack restricted access to council servers and core systems, resulting in a near-total loss of use of data held on file share servers. Critical council operations were significantly disrupted, particularly within finance functions. Council Tax and Non-Domestic Rates billing were among the services affected. While the specific attack vector has not been publicly disclosed, attackers reportedly gained unauthorised access to council systems before deploying malware that encrypted data and disabled access.
Following detection, the council moved quickly to contain the incident. Affected systems were taken offline, and support was sought from Police Scotland, the National Cyber Security Centre (NCSC), the Scottish Government and external technology partners. Staff developed manual workarounds to maintain essential services, while cloud-based email systems enabled continued external communication. Front-line services and payments to staff and suppliers were prioritised throughout the recovery effort.
The response itself was widely recognised as effective given the circumstances. However, as subsequent reviews revealed, effective incident response alone does not guarantee effective recovery.
What makes this incident particularly noteworthy is the length of time required to recover. According to Audit Scotland's independent review, critical systems supporting housing benefits, council tax and non-domestic rates remained not fully restored almost two years after the attack. Recovery costs were estimated at around £500,000, with the full financial impact still emerging.
This raises an uncomfortable but increasingly important question: How prepared is your organisation for a recovery effort measured in years rather than weeks?
Many organisations invest heavily in prevention technologies but devote far less attention to long-term recovery planning. The Western Isles incident demonstrates that resilience depends on much more than preventing initial compromise.
Post-incident reviews highlighted several issues that existed before the attack occurred. At the time of the incident, five of the council's seventeen IT positions were vacant, including a senior systems analyst role. Reports also suggested that wider staff cybersecurity awareness training had lapsed.
More significantly, the Accounts Commission found that known weaknesses had already been identified before the attack but had not been fully addressed. This is a challenge many organisations face.
Security assessments, audits and risk reviews often identify vulnerabilities and control gaps. Yet competing priorities, budget constraints and resource limitations can delay remediation efforts. The problem is that cyber criminals rarely wait for organisations to catch up.
One of the most valuable lessons from this incident is the distinction between recovery and resilience. Recovery focuses on restoring systems after an incident. Resilience focuses on maintaining operations despite disruption and improving organisational capability over time. The council's own internal Cyber Attack Response report issued ten recommendations in October 2024. By September 2025, only five had been fully implemented.
This highlights a challenge frequently overlooked after major incidents. Once systems begin returning to normal, improvement initiatives can lose momentum. True resilience requires sustained investment, governance oversight and executive commitment long after media attention fades.
Technology was not the only casualty.
Staff were required to develop manual workarounds while continuing their normal responsibilities. This created significant additional workload and pressure over an extended period. The incident serves as a reminder that cyber crises are people crises as much as technology crises.
Organisations should ensure incident response and business continuity plans account for workforce wellbeing, resource allocation, internal communications and decision-making during prolonged recovery periods.
The Western Isles Council cyber attack provides several important lessons for organisations across all sectors:
Perhaps most importantly, organisations should stop measuring resilience solely by their ability to prevent attacks. As the Accounts Commission noted, it is increasingly a question of when, not if, a cyber incident occurs. The organisations that recover most effectively will be those that have planned, tested and exercised their recovery capabilities long before an attack takes place.
The Western Isles Council incident demonstrates a reality every board and CISO should understand: The attack may last days. The recovery may last years. Download our CMA Cyber Insights Document on the Western Isles Ransomware Attack for more details on the attack and the lessons it contains.
The Western Isles Council incident demonstrates that organisations don't fail because a ransomware attack occurs. They struggle because they are unprepared for everything that comes afterwards. At CM-Alliance, we help organisations build resilience long before an incident happens. Our services are designed to test plans, strengthen decision-making and improve recovery capabilities, so organisations can continue operating even under significant pressure.
We can help your organisation:
The biggest lesson from the Western Isles incident is that recovery should never be improvised. Organisations that invest in planning, training and regular exercising are far better placed to minimise disruption, recover faster and emerge stronger after a cyber incident.