The Scottish Comhairle nan Eilean Siar, or Council for the Western Isles, is now two years deep into recovering from a major ransomware attack that hit them in early November 2023.
The direct financial fallout from this cyber incident has already exceeded 1 million euros, a substantial cost for the council. The precise cause of the ransomware breach remains unknown.
A new report from the Scottish Accounts Commission sheds light on critical issues. The council’s continuity plans were not robust enough to handle the scale of the attack. This report highlights risks for all councils.
Prior weaknesses in IT infrastructure and governance, identified before the attack, had not been resolved. Furthermore, a shortage of IT personnel exacerbated the council’s vulnerability.
The Accounts Commission suggests that if the council had been better prepared, the overall impact of the ransomware attack could have been significantly mitigated.
Disturbingly, only half of the recommendations made after an earlier audit, conducted before the attack, have been fully implemented by the council.
Key tasks still outstanding include comprehensive staff training, rigorous testing of response plans, and full adherence to the UK’s National Cyber Security Centre (NCSC) cybersecurity principles.
The recovery efforts are far from over. Staff are still meticulously working to restore both historical and current data to the affected systems.
This arduous recovery process is expected to extend well into next year. During the attack, not only systems but also numerous backups were encrypted, leading to some data being permanently lost. The Accounts Commission released a detailed report on the incident.
The challenges faced by the Scottish council underscore a widespread threat, as new platforms like Matrix Push C2 demonstrate how accessible advanced phishing and malware tools have become for criminal enterprises. These services, often offered “as-a-service,” lower the bar for sophisticated attacks.
Such operations are further enabled by dedicated infrastructure providers, as seen with sanctions against Russian “bulletproof” hosting services that facilitate ransomware groups like LockBit and BlackSuit by obscuring their activities from law enforcement. International efforts are targeting these critical enablers of cybercrime.
The ongoing recovery highlights the indispensable need for robust cybersecurity measures, including a range of tools from network security monitoring to vulnerability scanners, crucial for defending against evolving threats and minimizing the fallout from devastating incidents. Effective solutions protect vital data and maintain an organization’s integrity.