In early September, Tewkesbury Borough Council experienced a cybersecurity scare that led to significant operational disruption. On discovering unknown user accounts within its internal systems, the council suspected a cyber attack and responded quickly by shutting down all IT services. This action, while necessary for caution, inadvertently triggered a cascade of delays affecting council operations, especially in areas like planning applications.
What Happened?
The council’s IT team identified unknown user accounts and, fearing the worst, declared a major cyber incident on 4 September. As a precautionary step, all online services were disabled, and staff were redeployed to continue essential operations. The shutdown allowed the council to evaluate any potential security threat and ensure that residents, particularly vulnerable individuals, could access essential services through alternative means.
A False Alarm, But with Consequences
The suspected cyber attack was later found to be an internal systems check—a case of the council’s own security mechanisms interacting in unexpected ways. Fortunately, no data was compromised or lost. However, the downtime resulted in a backlog of tasks, particularly within the planning department. By the end of October, the estimated backlog of planning applications surged from 238 to 390.
Chief Executive Alistair Cunningham acknowledged the disruption, stating that it was challenging for teams to maintain regular operations under these circumstances. The council has since made progress in addressing the backlog, and staff are working diligently to return to normalcy.
Key Takeaways for Cybersecurity Preparedness
This incident offers valuable lessons for organisations managing cybersecurity and underscores the importance of thorough planning and clear protocols:
- Incident Preparedness and Testing
Proactive systems testing is essential, but regular, clear communication between IT and cybersecurity teams can prevent misinterpretations like these. Ensuring that testing and maintenance activities are logged and verified helps to avoid unnecessary service disruptions. - Effective Communication Channels
Rapid and clear communication across departments can prevent misunderstandings. Informing relevant stakeholders about planned security tests and regularly updating them during suspected incidents helps maintain clarity and control. - Balanced Response to Cyber Threats
While shutting down services was a cautious approach, refining procedures to allow for selective shutdowns might minimise disruptions. Designing an incremental shutdown protocol can limit operational impact while still allowing threat assessments. - Preparedness for Recovery
When downtime impacts public services, having a streamlined process for recovery can help reduce backlogs. Building robust contingency and recovery plans, especially for public-facing departments, enables faster catch-up post-incident.
Conclusion
The Tewkesbury Borough Council incident serves as a reminder of the complexity and importance of cybersecurity preparedness. While no data was lost and no actual cyber attack occurred, the operational impact was significant. This false alarm highlights the need for organisations to maintain robust incident management plans that balance caution with continuity, ensuring that essential services remain resilient against disruption.
