A persistent misconception is found across public sector organisations, that cybercriminals are only interested in 'big game', multinational corporations or top government departments. However, the cyber threat landscape has fundamentally shifted, and attackers no longer discriminate based on organisational size, sector or profile.
Getting your Trinity Audio player ready...
null

In November 2025, multiple London councils acknowledged that they had experienced cyberattacks. This led to the suspension of various public-facing services, raising concerns about the security of resident data1. Reports indicate that three major boroughs affected were forced to shut down critical IT systems as they investigated the issue.

The risks are clear: To protect public funds, sensitive citizen data and the delivery of essential services, community leaders need to view cyber resilience as a vital part of operational stability.

The changing face of cyber threat

This belief that 'we're too small to be targeted' has left many community organisations dangerously exposed. Cybercriminals can view town and parish councils, community groups and smaller local authorities as easier targets — organisations with valuable data and limited defences.

Automated threats, such as ransomware and phishing campaigns, do not care about yearly turnover or the size of the parish. They simply look for vulnerabilities such as unpatched software or untrained staff.

The 2025 Cyber Security Breaches Survey, conducted by the UK government, reveals that phishing remains the most common and damaging threat to organisations. In the past year, almost 85% of public businesses and 86% of UK charities were targeted by critical phishing attacks2.

Why local authorities and community organisations are vulnerable

  • Personal data: Local authorities and community organisations hold extensive personal information. These range from names and addresses to national insurance numbers, council tax records, benefits information and health data. For smaller organisations managing community halls, local events or resident databases, this data can be equally attractive to bad actors seeking to profit from identity theft or fraud.
  • Budget constraints: Operating under tight budget restrictions, councils often neglect cybersecurity. Many public sector businesses still employ legacy systems, creating system weaknesses that modern, AI-enabled attacks can easily exploit.
  • Digital overreliance: Digital transformation comes with a catch. With the migration to online services, primarily accelerated by the pandemic, entry points have multiplied for threat actors. Shared IT infrastructure, whilst cost-effective, creates additional risk. When multiple organisations share a core platform, attackers can exploit stolen credentials, moving laterally across interconnected systems.
  • Human error: Without appropriate training, local government workers may be ill-prepared to identify ransomware attacks or integrate two-factor authentication. As a result, employees can unknowingly become a weak point in your security chain.

Consequences beyond the immediate attack

When a cyber incident occurs, the damage can extend beyond technical disruptions. The ripple effects have the potential to affect an entire community.

  • Service disruption: A crucial attack can fracture services and compromise personal information. For a parish council, this could mean an inability to communicate with residents or manage local facilities. One such example is Leicester City Council's 2024 ransomware attack, which impeded crucial services for several weeks, including child protection, adult social care and homeless services3. Residents reported difficulties accessing council tax accounts, business rates, housing services, parking permits, online benefit systems and other core digital functions.
  • Financial strain: The cost of a breach, including legal fees, data recovery and forensic investigation, can exceed the cost of preventative cover. Following a damage recovery incident from 2024, the cost estimates were close to £500,000 for one Scottish council, which eventually doubled to over £1 million by year-end4. For smaller organisations with tight margins, these costs may threaten viability.
  • Regulatory investigation and reporting: A breach often triggers mandatory reporting and regulatory investigations into compliance obligations, such as the GDPR, adding immense pressure to already-stretched teams. In late 2025, the Royal Borough of Kensington and Chelsea confirmed to the Information Commissioner's Office (ICO) that council data had been copied and extracted as a result of a cyberattack5. Currently, the council is contacting a large number of households across the borough, warning that investigating and analysing the stolen data will take several months due to its volume and complexity.
  • Loss of public trust: When citizens' personal information is compromised or essential services become unavailable, community confidence erodes, resulting in reputational damage and loss of public faith. This can have serious and long-lasting consequences, particularly for people in at-risk situations.

Cyber risk as a governance issue

Cybersecurity is not only an IT problem; it is a governance and continuity issue. Effective cyber risk management requires leadership commitment, adequate resourcing and organisation-wide engagement. Decision makers need to be fully aware of the threat landscape, assess their organisation's vulnerabilities and suitably implement proportionate controls.

And instead of a prevention-only mindset, local authorities and businesses need to strengthen their defensive measures, assuming that disruption is inevitable, and plan accordingly.

How can we help?

As a trusted adviser to thousands of public sector and community organisations, Gallagher understands the unique challenges faced by town and parish councils, community groups and local authorities.

Gallagher Cyber Defence Centre offers customised annual membership pricing for organisations of all sizes. You will gain access to vulnerability scanning, threat intelligence webinars, quarterly staff training covering phishing awareness and email security, virtual CISO support and Community Intelligence — a network of security professionals sharing insights on live threats and practical solutions.

We also offer cyber insurance solutions designed specifically for town and parish councils and community organisations. Our policies provide financial and operational support during an incident, covering data breach costs, business interruption, legal and regulatory support and access to specialised incident response teams. Our additional services include risk assessments and staff awareness workshops to strengthen your defences and mitigate risk.

Whether you're a county council or a small parish council, protection is both accessible and essential. Get in touch with our specialists to enhance your organisation's cyber resilience.

Sources

1 Burford, Rachael. "London Councils Confirm Data Accessed and Copied in Major Cyber Attack," The Standard, 28 Nov 2025.

2 "Cyber Security Breaches Survey 2025," GOV.UK, 19 Jun 2025.

3 Howkins, Jessica. "Leicester City Council Data Breach: What You Need to Know," Barings Law, accessed 2 Feb 2026.

4 "Cyber Attack Could Cost Western Isles Council More Than £1m," BBC, 25 Sep 2024.

5 McCamley, Frankie, and Adrian Zorzut. "Data Stolen in Kensington and Chelsea Cyber Attack," BBC, 8 Jan 2026.

Disclaimer

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.

Arthur J. Gallagher Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: Spectrum Building, 55 Blythswood Street, Glasgow, G2 7AT. Registered in Scotland. Company Number: SC108909.

Stay connected with the company that’s connecting the dots with what’s happening in the industry and around the world
Related Articles