Ensuring a new unitary council can protect data, detect threats, maintain secure access, and keep critical services running from day one.

What cyber readiness means

Cyber readiness means that the new council can:

  • protect sensitive data
  • detect and respond to cyber threats
  • maintain secure access for staff and suppliers
  • ensure critical services remain available
  • follow data protection and Public Services Network-related obligations
  • provide confidence to the public, partners and elected members
  • identify and manage security vulnerabilities found in their network and systems

The goal is risk reduction, not full integration of cyber and security systems for day one. The architecture will still be temporary, but it must be strong enough to work safely.


Why reorganisation increases cyber risk

Councils will potentially be more vulnerable to cyber threats during reorganisation for five reasons:

  1. greater exposure: more devices, endpoints, admin accounts, legacy systems, suppliers and exposed interfaces
  2. temporary technology set-ups: shared logins across separate systems, a mix of cloud and older on-site systems, more than one network running at the same time, or older systems that can’t be replaced before day one
  3. intensive data movement: sharing, consolidating, archiving and splitting data all carry risk if not governed properly
  4. increased phishing and social engineering: staff uncertainty, organisational change and multiple email domains create opportunities for attackers
  5. supplier-related vulnerabilities: unclear contract ownership, unexpected renewal cycles and breakdown of support arrangements

Assess and manage your cyber resilience

The Cyber Assessment Framework (CAF) for local government helps councils assess and improve cyber resilience. Completing the CAF supports you to:

  • identify cyber risks that could disrupt essential services
  • improve resilience to potential cyber attacks
  • know what areas to prioritise though actionable recommendations, so you spend time and money more efficiently
  • embed a culture of cyber security across your organisation

Our advice is to:

  • complete a CAF assessment, covering at minimum objectives A and D before vesting day
  • share Improvement and Implementation Plans with other councils in your LGR area to understand joint risks
  • develop a collective plan for building improvements into the new organisation
  • complete a full CAF assessment within one year of vesting day
  • add all your domains to DSIT’s Vulnerability Monitoring Service and make sure your contact details are up to date, so you are alerted if any critical vulnerabilities are found

We used CAF to track, monitor and review our systems at an almost audit level with the buy-in of senior management. That has been so critical to our cyber security because 99% of the time it is senior management who are under attack (from phishing emails, device attacks etc).

A council Head of IT

Responding to cyber incidents

MHCLG’s Cyber Incident Response (CIR) service helps councils respond quickly and effectively to severe cyber incidents.

The service gives eligible councils access to a National Cyber Security Centre (NCSC) assured provider for containment and eradication support following a significant cyber incident.

NCSC will share reports promptly with MHCLG, who will monitor them on a 24/7 basis to assess whether the incident meets the threshold for activating the CIR service.

If activated, MHCLG providers will contact affected councils within 30 minutes, assess the threat and agree next steps.

Councils will need to sign a Memorandum of Understanding to formally approve provider access to compromised networks and agree the cyber response activity to be carried out.

Our advice is to:

  • review and understand the service process and steps for responding to a severe cyber incident
  • keep offline backups of key documents such as up-to-date network diagrams, and critical system recovery plans, so responders can act quickly if a severe cyber incident were to take down your usual systems

If I had to give one strong piece of advice, it would be: consolidate your Microsoft tenancy early. Same email domain, same experience. It’s expensive and you’ll probably need external support, but without it people never really feel like one council. Culture gets pulled through infrastructure whether you like it or not.

Madeline Hoskin, Assistant Director for Technology, North Yorkshire Council

Reporting a cyber incident

Report all cyber incidents to NCSC using the reporting tool.

Resilience and emergency planning

Technology, cyber and resilience teams should work together to:

  • review and update business continuity and disaster recovery plans
  • confirm who leads incident response on day one
  • be clear on when a cyber incident should be escalated beyond IT and trigger the council’s wider emergency management response
  • detail how decisions will be made if critical systems fail

Practical steps to prepare for potential disruption include:

  • validating contact lists and on-call rotas
  • testing failover and backup arrangements for priority systems
  • aligning cyber incident response plans with the new council’s business continuity plans
  • running tabletop exercises based on LGR-specific scenarios, such as system outages, ransomware attacks or data access failures

Webinars

Considerations for identity during LGR

Explores how to control access securely when multiple councils share systems, manage who can access what, and apply Zero Trust principles during reorganisation.

Watch the webinar recording (YouTube)

Tenancy migrations in the context of LGR

Practical insights from real-world migrations, covering proven strategies and common issues.

Watch the recording (YouTube)

Read the questions and answers

Building security posture and multi-tenancy considerations

Covers latest threats, practical strategies for complex environments, and modern tools for cyber protection.

Watch the recording (YouTube)