Kurtis Toy, Chief Operating Officer and CISO of the Cyber Centre of Excellence

The reality of local government reorganisation (LGR) is coming into sharp focus as district and county councils prepare to merge into single-tier unitary councils over the next two years. At the same time, the Government is pushing ahead with a new phase of devolution in many of the same places. While the short- and long-term financial, economic and operational benefits of LGR and devolution have been widely debated, cyber security implications have, comparatively, received limited attention.

With the sharp rise in state actor cyber-attacks against public and private sector organisations alike, such as the string of attacks that significantly impacted retail giants like Marks & Spencer last year, the Cyber Centre of Excellence (CCoE) has collaborated with the District Council Network (DCN) on a survey and qualitative research. The aim was to better understand local councils’ views about the evolving cyber threat landscape and the challenges of maintaining cyber resilience amid local government reorganisation and other structural changes to the local public sector.

Findings

62 digital leaders from 58 district councils responded to the survey.

When asked to rate the confidence they have in their organisation’s cyber security on a scale between 1 (very concerned) and 8 (very confident), the mean average response was 5.86, indicating overall confidence. When asked whether high profile cyber-attacks on private companies, such as M&S, increased their concerns about their own organisation’s cyber security position on a scale from 1 (increased concern significantly) and 8 (no impact), a mean moderate to neutral impact on concern was reported (4.76).

However, the vast majority of respondents (90.3%) believed that the LGR transition would increase cyber risk for councils, either modestly or significantly. A thematic analysis of the survey data further revealed the following concerns:

Increased number of collaborative partners

The most common concern shared by digital leaders was that reorganisation could increase the number of collaborative partners involved in managing data and securing systems as organisations merge. As a result, access to sensitive systems and datasets may need to be extended across authorities and teams, creating additional entry points and reducing the exclusivity of administrative privileges. This expansion of access within emerging unitary councils carries great risk of increasing attack surface if not co-ordinated meticulously.

Different approaches to policy and cyber security hygiene

Furthermore, differing approaches to cyber security hygiene between councils were highlighted as a potential risk factor in the formation of unitary councils. As councils reform, coordinating alignment and agreement between existing security policies, standards, and practices – and ensuring they’re complied with – will be challenging. Disparities in cyber security maturity and operational procedures will likely complicate the enforcement of consistent security controls across newly formed organisations, thus negatively impacting cyber risk.

Merging non-validated systems

Concerns were also raised about integrating systems that may not have been fully tested or validated prior to merging. Respondents noted that tight transition timeframes could require the temporary adoption of interim systems, limiting the opportunity for comprehensive security testing and risk mitigation. In some cases, legacy systems may be retained or prioritised over more secure alternatives to maintain operational continuity during the transitions. It was also noted that the transition period could lead to the loss of key personnel that may have context, legacy and specialist knowledge and could have a knock-on impact to decision making and implementation. The short implementation period also increases the risk that vulnerabilities remain unidentified prior to integration. There were also mentions that latent malware or previously undetected compromises within legacy systems could be carried into the newly merged infrastructure, potentially exposing the wider unitary organisation to cyber threats.

Conclusion
Periods of organisational change can present heightened cyber security risks, as attention is often directed towards structural and operational priorities. During local government reorganisation, the integration of systems, expansion of access across partners, and alignment of differing security practices may create vulnerabilities that threat actors could seek to exploit. While respondent digital leaders expressed general confidence in their existing cyber security position, the overwhelming expectation that reorganisation will increase cyber risk highlights the need for cyber resilience to remain a central consideration throughout the transition. Ensuring robust governance, consistent security controls, and thorough system validation will be critical to safeguarding local authority infrastructure during this period of change.

About the Cyber Centre of Excellence (CCoE)

The Cyber Centre of Excellence is a not-for-profit organisation founded by iESE CIC for the benefit of public sector bodies, local authorities, and their communities. CCoE continually tests emerging technologies to make a meaningful difference to real world protection beyond tick box compliance and offers a suite of validated premier products at an affordable price.

If you are interested in their products or services, visit www.ccoe.org.uk or email enquiries@ccoe.org.uk.