Two Years On: What the Western Isles Council Case Teaches Organisations About Cyber Risk

16.12.25

General

Two years after a ransomware attack on Western Isles Council (Na h-Eileanan Siar), the authority is still grappling with service backlogs and unrecovered data. According to a recent AuditScotland report, the council continues to face operational disruption nearly two years on, with some finance systems only partially restored and auditors unable to verify accounts for 2023/24.

While the headlines focus on the disruption itself, the real lesson goes much deeper: cyber attacks can have long-term, cascading consequences that reach far beyond IT.

For smaller organisations such as councils, charities, SMEs, or non-profits, the Western Isles Council story is a stark reminder that cyber threats are not just technical; they are organisational, operational, and reputational.

Many smaller organisations still treat cyber security as an IT problem. Yet the Western Isles Council case demonstrates that an attack can ripple through every function. Finance, customer service, governance, marketing and staff wellbeing all suffered. Service backlogs lingered for years, auditors could not verify accounts, and employees faced enormous pressure to maintain operations manually.

The lesson is clear. Cyber security is not a single event or a checklist, It is an ongoing element of organisational resilience. Planning for an attack is as essential as planning for natural disasters or financial shocks.

The AuditScotland report notes that some of the exploited weaknesses had been identified in earlier audits, but recommendations were not implemented. This highlights a common issue in smaller organisations: the gap between identifying risk and acting on it. Known vulnerabilities, if left unaddressed, can become the entry point for long-term operational disruption. The ICO continually find this from their investigations, in that ‘patch management’ requires scrutiny.

Proactive risk management is therefore not optional, organisations must embed continuous assessment and remediation into everyday governance, not just respond after a crisis.

Even after technical systems are restored, recovery is rarely instantaneous. Staff must reconcile lost or corrupted data, rebuild processes, and restore public trust. The Western Isles example shows that even with investment and effort, full recovery can take years. Organisations should prepare for the long tail of cyber incidents, including the human, operational, and reputational impacts.

Cyber resilience is not just about systems, it is about people. When attacks occur, staff capacity and wellbeing are tested; overworked or unsupported employees risk burnout, mistakes, or attrition, further amplifying the organisation’s vulnerability. Cultivating a culture where staff understand their role in cyber resilience and are supported in times of crisis is as important as firewalls and backups.

The Western Isles Council case, is a cautionary tale but also an opportunity. It reminds organisations that cyber resilience is not optional and that preparing for disruption is not just about technology, It is about strengthening the organisation.

At the Cyber and Fraud Centre – Scotland, we help organisations build resilience. By working together, we can turn hard lessons from others into practical strategies that protect people, services, and public trust.

Our membership gives organisations year-round access to monthly CPD-accredited training webinars, expert support and practical resources to help build resilience before an attack ever takes place.

The Cyber Executive Education Programme provides leadership teams with the strategic understanding they need to govern cyber risks, make informed decisions during an incident and reduce the chance of long-term disruption. You can sign up to our next sessions here.

Cyber Skills Academy training sessions strengthen workforce capability at every level. From awareness sessions for all staff to more advanced technical training, we help organisations ensure their people know how to prevent, detect and respond to threats confidently. Explore more about our training here.

Finally, if you want to identify potential gaps in your systems, a penetration test may be a good option. This is a simulated cyber attack that identifies and exploits weaknesses in your IT systems, applications, or network. As a proactive security measure, it helps organisations uncover real-world vulnerabilities before malicious hackers do. Get in touch with our team to discuss how testing will support your cyber resilience.