Fears vital services could be at risk in Cheltenham
It's as half of councillors are not keeping up with cyber security training
There are serious concerns vital council services in Gloucestershire could be disrupted once again by hackers because councillors are not keeping up with their cyber security training.
A recent freedom of information request has revealed that only 20 of Cheltenham Borough Council’s 40 councillors had completed their online cyber refresher training.
This has sparked alarm among councillors who fear such a weakness in their cyber security defences could lead to another devastating situation like Gloucester City Council suffered in 2021.
The authority’s systems were compromised by a ransomware attack when Russian hackers sent an e-mail designed to look like part of a conversation, which released malicious software and made almost every council system inaccessible.
This disrupted housing benefit claims, council tax payments, leisure centre bookings and caused havoc with house sales in the city with delays to property searches.
It took years for the council to fully recover and it is now at risk of bankruptcy with the discovery of overspends council leaders say are due to poor accountancy practices after the cyber attack.
Councils across Gloucestershire were asked by the Local Democracy Reporting Service how often their staff and councillors undertake cyber security training.
Cheltenham Borough Council, who so far are among only two of the authorities to make the information on councillor uptake public, said only 50 per cent of their elected members have completed their online cyber refresher training.
However, the figures were much better for council officers with 90 per cent having completed their training.
The council says it offers cyber security training on a regular basis and councillors are encouraged to complete it both through online modules and in-person member development sessions.
A councillor, who did not wish to be named, said cyber security is extremely important to keep council systems safe.
“Systems are only as strong as their weakest link,” they said.
“If the weakest link are councillors that don’t undertake mandatory training, that’s not acceptable.
“And it leaves council systems open to penetration.”
Tewkesbury Borough Council, which had a cyber scare of its own in 2024, has an even better compliance rate for staff with 98 per cent having completed it in the last financial year.
Uptake among councillors was 86 per cent and they are offered training annually.
Stroud District Council said staff there are also asked to complete cyber security training courses yearly as well as agency staff.
The current completion rate is just shy of 75 per cent.
However, they did not give a figure for councillor uptake but said elected members are given a cyber security briefing as part of their induction and are asked to complete annual courses.
Gloucester City Council says it has a very robust IT security in place after the cyber attack in 2021. The Council uses the necessary products and tools to keep systems and infrastructure safe and secure.
They said council staff and councillors regularly undertake cyber security training but would not say how often and claimed its disclosure could prejudice law enforcement.
They also refused to disclose their latest uptake percentages for council officers and elected members citing the same reason.
Cotswold District Council and Forest of Dean District Council say 94 per cent of their officers have completed their cyber security training.
They did not say what the completion percentage was when asked for the uptake among elected members but that they have “just commenced our annual cyber security refresher training programme for councillors”.
Uptake of cyber security training at Gloucestershire County Council has also been requested under freedom of information legislation but has not responded within the 20 working day deadline.
The council has apologised for the delay and are continuing to progress the request.
The National Cyber Security Centre gave an update on the cyber threat landscape in its annual review in 2025.
It says state actors such as China, Russia, Iran and the Democratic People’s Republic of Korea continue to present a significant threat to the UK and global cyber security.
And they emphasise the importance for all organisations to act now to ensure cyber security is a key part of their operational resilience.
Helping to raise the cyber resilience of the UK public sector is a core part of their mission and they have produced guidance to help public sector organisations reduce the likelihood of cyber attacks and to help them mitigate the impacts.
The Ministry of Housing, Communities and Local Government has provided £23 million of cyber grant funding and technical support to councils since 2020.
This includes support to deliver the Cyber Assessment Framework for local government, which sets a clear cyber security standard for the sector.
MHCLG has also launched a local government Cyber Incident Response service to support English local authorities respond to severe cyber incidents, helping to limit the impact these have on data and services.