Concerns are mounting in Cheltenham as only half of the borough’s councillors have completed their mandatory cyber security refresher training, raising fears that critical council services could once again fall victim to cyberattacks.
A recent Freedom of Information request uncovered that just 20 out of 40 Cheltenham Borough Council councillors have taken part in the required online training. This shortfall has alarmed some officials who worry that inadequate cyber awareness among councillors could leave the council vulnerable to attacks similar to the crippling ransomware incident that struck Gloucester City Council in 2021.
During that attack, Russian hackers infiltrated council systems through a deceptively crafted email, unleashing malware that rendered essential services inaccessible. The fallout disrupted housing benefit claims, council tax payments, leisure bookings, and delayed property sales and searches. Gloucester City Council faced years of recovery and financial strain, with reports indicating potential bankruptcy linked to accounting irregularities post-attack.
READ MORE: ‘Outstandingly Beautiful’ Little-Known Cotswolds Village Feels Like Stepping Back in Time
READ MORE: Death Notices and Funeral Announcements from Gloucestershire This Week
Across Gloucestershire, local authorities have varied in their cyber security training uptake. Cheltenham Borough Council reports 90% of its officers have completed training, a stark contrast to the 50% completion rate among councillors. The council stresses that training is regularly offered through online modules and in-person sessions, continually encouraging participation.
One anonymous Cheltenham councillor highlighted the risk, stating, “Systems are only as strong as their weakest link. If that link is councillors neglecting mandatory training, it leaves critical systems exposed to cyber threats.”
Other councils have demonstrated stronger compliance. Tewkesbury Borough Council, which faced a cyber scare in 2024, boasts a 98% staff completion rate and 86% among councillors, with annual training offered. Stroud District Council reports nearly 75% staff uptake but has not disclosed councillor figures, noting training and briefings are part of induction processes. Gloucester City Council maintains its IT infrastructure’s robustness and emphasizes regular staff and councillor training but declines to disclose completion rates citing law enforcement concerns.
Cotswold and Forest of Dean District Councils report a 94% completion rate among officers and have recently initiated annual refresher training programs for councillors. Gloucestershire County Council has yet to respond to information requests on training uptake but has apologized for delays.
The National Cyber Security Centre (NCSC) underscored in their 2025 review that geopolitical state actors such as China, Russia, Iran, and North Korea continue to pose significant cyber threats globally, emphasizing the necessity for organisations to integrate cyber security within operational resilience strategies.
In support, the Ministry of Housing, Communities and Local Government (MHCLG) has allocated over £23 million in grants and technical assistance since 2020, helping councils adopt the Cyber Assessment Framework and establishing a Cyber Incident Response service to mitigate the impact of severe cyber events on public data and services.
As Cheltenham and surrounding councils face escalating cyber risks, ensuring full participation in cyber security training, especially among councillors, is critical to safeguarding vital public services and maintaining community trust.