Sandwell Council is planning to spend £5.5 million on “enhanced” security updates for its entire IT system and is set to award a £4.7 million three-year contract an external IT consultancy to carry out the work.

A further £459,000 would be spent on servers and ‘cloud’ storage and another £266,000 on artificial intelligence (AI) software. Sandwell Council said not upgrading its IT system could leave the authority open to months of disruption, “excessive” clean-up costs and “destroy” its reputation.

The plans were backed by Sandwell Council’s cabinet at a meeting on February 7.

At the meeting, Cllr Jackie Taylor asked how many companies had bid for the contract and what feedback had the council received about Phoenix Software. “How are we sure we are getting value for money?” she asked. Cllr Bob Piper, cabinet member for finance at Sandwell Council, said Phoenix Software was “vastly experienced” and the council had used the company for software upgrades on the last two occasions.

“The route [for directly awarding the contract to Phoenix Software] was taken as Microsoft pricing is pre-negotiated anyway on behalf of local government which therefore makes tendering a fairly ineffective exercise,” he said. “Phoenix has vast experience in delivering value to the UK public sector for organisations using Microsoft technology.”

Most councils across the Black Country and the West Midlands, including the West Midlands Combined Authority, are in the process of upgrading or have already upgraded to Microsoft Enterprise 5 (E5). The council’s current contract ends in March.

Cabinet papers published before the meeting said the threat of a successful cyberattack at the council had risen “dramatically.”

“Cyber security resilience is a de-facto necessity for any organisation reliant on ICT business applications and electronic data,” the cabinet papers explained. “The council is now wholly dependent on technology for the provision of its front-line services. “The failure of the council to protect itself from a successful cyber-attack would be widespread.

“There is now a nationwide feeling of not if an attack will occur but when,” the report continued.

“The consequences are multiple and evidenced by successful attacks which have previously occurred in Hackney, Gloucester, and Copeland.

“All resulted in significant business disruption and expensive recovery and clean-up costs.”