Norfolk County Council is stepping up its defences against cyber attacks after a presentation to the Audit and Governance Committee on 10 February revealed the growing scale of the threat facing public bodies across the UK.

The National Cyber Security Centre (NCSC) has reported that the UK is now experiencing four nationally significant cyber attacks every week. In November 2025, three London borough councils — Kensington and Chelsea, Westminster, and Hammersmith and Fulham — suffered a simultaneous attack after sharing a data centre, disabling their contact centres, websites and phones and resulting in sensitive data being stolen.

The committee agreed that the council's Director of Digital and Transformation, and in their absence the Head of IT, must have explicit authority to isolate systems, revoke access or shut down connections immediately during a cyber incident — even without prior consultation — if circumstances demand it. This authority will be written into the council's recovery plan.

Norfolk has already taken a number of steps to protect itself. These include backing up all Microsoft 365 data — including emails, OneDrive and SharePoint files — to a secure location at a cost of £95,000 per year. The council has also deployed CloudFlare to protect its public-facing websites from denial-of-service attacks, following what the presentation described as sustained attacks of "pro-Russian origin".

The council has signed up to the NCSC's Early Warning service and gained accreditations allowing it to access NHS patient data and Department for Work and Pensions (DWP) information securely.

A new 24-hour Security Operations Centre (SOC) partnership is being commissioned with technology company Phoenix to monitor council systems around the clock. This addresses what officers described as the council's most significant current vulnerability: a lack of out-of-hours coverage.

The committee was also told the council is planning to complete the installation of Microsoft Sentinel, a cloud-based security monitoring tool, at an estimated cost of £70,000 to £100,000 per year, with a further £70,000 per year for round-the-clock monitoring and automated response capability.

The council acknowledged a heavy reliance on US technology companies, particularly Microsoft and Oracle, but confirmed it uses UK-based data centres, keeping it compliant with UK data protection law. Officers also confirmed the council can operate key services offline if a major provider suffers an outage.

Supply chain risk was flagged as one of the most significant vulnerabilities identified nationally. Work is underway to make cyber security certification a mandatory requirement for all council suppliers, not just digital ones.

A disaster recovery exercise involving at least one major live system is also being planned for 2026. The council's last major such test was in 2023.