30% of IT Roles Were Vacant. Then the Ransomware Hit.

Cyber breaches look tidy in headlines. One attack. One villain. One dramatic moment.

Reality is the opposite. The real story is the slow, grinding recovery that drags on for years after the sirens stop.

The new audit of Comhairle nan Eilean Siar, a small council in the Western Isles of Scotland, gives a rare public look at what that long tail really feels like.

The Quiet Before the Storm

The council in November 2023:

• 30% of IT roles vacant, including a senior systems analyst.
• Staff cybersecurity training lapsed and un-tracked completion rates.
• Neither the Cyber Incident Response Plan nor the Disaster Recovery Plan had been finalised or approved.
• Annual audits flagged high and extreme IT risks, follow-up actions blank or vague.
• Critical systems running on ageing on-premises infrastructure.
• No committee formally owned cyber or IT risk.

On paper, the controls were rated adequate. In practice, the organisation was stretched thin.

The Breach

Imagine you are on the IT team. Activity logs show servers starting to drop offline between 3am and 5am. Then the server holding the activity logs goes dark too.

By early morning, staff arriving for work find a council that has gone silent. No systems. No phones. What looked like a hardware fault reveals itself as something far worse: a ransomware attack that has encrypted everything.

By midday, a ransom demand arrives.

By afternoon, the Chief Executive is in an emergency meeting with IT staff, resilience officers, and the council leader.

By evening, the Scottish Government is coordinating a multi-agency response.

On-premises systems were hit hardest, including finance and HR. Cloud systems stayed up and became the lifeline. On-prem went dark.

The council presumably chose not to pay the ransom. That decision avoided a cycle of dependence on criminals, but it forced a long and painful rebuild.

Forensic investigators found no indicators of how attackers gained access. The exact cause of the breach remains unknown to this day.

Two Long Years of Recovery

Some systems are still being rebuilt. Only half of the audit recommendations have been implemented. The opportunity cost for staff and resources is enormous.

Large pieces of the improvement programme remain unfinished. Training programmes are not fully rolled out. Still no formal process for following up on failed phishing tests. The newly drafted Incident Response Plan, Disaster Recovery Plan, and Business Continuity Plan has not been tested. Full compliance with NCSC principles is not yet achieved.

The audit explicitly noted that staff went above and beyond, taking on extra work while managing day-to-day responsibilities. It called on the council to better support employees during prolonged crises. Two years of disruption takes a toll that does not show up in system logs.

The Governance Gap

One of the most important findings was the absence of clear ownership. No committee formally owned IT or cyber risk. When no one owns a risk, it never gets solved. It simply lives in reports until something breaks.

The Uncomfortable Truth

The audit is careful on one point. You can’t conclude that stronger controls would have prevented the breach. That uncertainty is part of real-world cybersecurity.

Better controls do not guarantee safety. What they do is reduce the blast radius, shorten downtime, and give teams a fighting chance to detect and contain threats quickly.

Looking In The Mirror

This is not a story about a remote Scottish council. It reflects our own organisations.

Understaffed teams. Ageing infrastructure. Plans left in draft. Reliance on on-premises systems that cannot be patched fast enough. Training that stalls when budgets tighten. Risk registers with no owners.

Attackers exploit these gaps long before the first alert pings and it hurts for a long time after.

As the Accounts Commission chair put it: councils should assume “it’s a case of when, not if, they are attacked.”

The same is true for every organisation.

A cyber breach is a marathon that begins the day the attacker gets in. The length of that marathon is decided by what you do long before the breach happens.

References:

“Cyber-attack affecting operations and services: The 2023/24 audit of Comhairle nan Eilean Siar”  https://audit.scot/uploads/2025-11/s102_251127_comhairle_nan_eilean_siar.pdf

“Scottish council still rebuilding systems two years after ransomware attack” https://www.theregister.com/2025/11/27/western_isles_ransomware_council/