In the last two years, the defining narrative of public sector IT has shifted from digital transformation to digital survival. The ambition of modernisation hasn't disappeared, but it has been overtaken by a more urgent question: what happens when the systems that underpin frontline services simply stop working?
A hard truth has emerged that no amount of policy language can soften: when a local authority's Windows environment goes down, the community it serves goes down with it. Planning applications stall. Benefits processing halts. Vulnerable residents dependent on social care coordination are left waiting, not for hours, but potentially for weeks. The human cost of IT failure in local government is measured in missed appointments, delayed payments and frontline staff rendered unable to do the jobs they were hired to do.
The Threat Is Systemic, Not Exceptional
The NCSC Cyber Assessment Framework (CAF) compliance is now a live expectation, not a future ambition. The Government Cyber Action Plan has set a clear benchmark for 2026 and the pressure on local authorities to demonstrate cyber maturity is intensifying. Yet, the vulnerability is structural, with nearly 28% of the public sector estate still classified as legacy infrastructure. It’s a systemic risk to the communities that local government exists to serve, baked into the architecture of the IT estate itself.
The threat actors exploiting these vulnerabilities are not waiting for procurement cycles to close or transformation programmes to complete. High-profile ransomware attacks on councils across the UK have already demonstrated what happens. The question for every IT leader in local government is no longer if an incident will occur, but whether their organisation can continue to serve residents when it does.
The Problem With Better Backups
Traditional disaster recovery (DR) has attempted to solve this by building a better version of the same vulnerable system: restore the servers, re-image the machines, rebuild the Windows environment from backup. It’s a logical, albeit flawed, approach. If the threat is the environment itself, then recovering that environment faster does not make the organisation more resilient. It simply accelerates the return to the same exposure.
The most forward-thinking councils are beginning to reframe the problem entirely. Rather than asking "how quickly can we restore what we had?", they are asking "how do we continue to operate while the primary environment is compromised?"
The Broken Glass Strategy
This shift in thinking has given rise to what is being called the "Broken Glass" strategy: the deliberate construction of a secondary, immutable path to service delivery that exists entirely outside the vulnerable Windows estate. Not a backup of the primary environment - a parallel one that’s ready to deploy the moment the primary network fails, without depending on any component of it.
The mature technology solution to deliver this exists today: ChromeOS. As a read-only, cloud-native operating system, it is architecturally immune to the Windows-based ransomware attacks that have crippled other councils and organisations. Its security model, built on process sandboxing, verified boot and automatic updates, prevents malicious payloads from executing and spreading across the IT estate. It does not rely on the same trust assumptions that legacy environments carry.
Combined with Virtual App Delivery through Cameyo by Google, which containerises legacy Windows applications and delivers them securely through the browser, entirely eliminating the need for VPNs. This means that frontline staff can access their exact working tools within minutes of a crisis event, on any available device. The applications they depend on do not move; the delivery mechanism changes entirely.
Chrome Enterprise Premium (CEP) is the security layer that binds the solution together, enforcing Zero Trust access and advanced Data Loss Prevention controls directly within Chrome Browser. In a crisis scenario when staff may be operating from shared, personal, or borrowed devices, CEP is the difference between a controlled, auditable recovery and a secondary data breach that compounds the original incident.
Resilience Without Rip-and-Replace
For many organisations, the barrier to action is not appetite for change, but the assumption that resilience requires new hardware investment at a time when capital budgets are under sustained pressure. ChromeOS Flex removes that assumption entirely, transforming existing end-of-life Windows devices into secure, cloud-first recovery stations. Sweating assets rather than replacing them is - in the current IT procurement landscape - the smarter, more sustainable strategic choice.
Resilience built on infrastructure you already own, delivering continuity you currently lack, is not an aspiration. It is an achievable programme with a narrow window before the 2026 benchmarks crystalise into formal accountability.
As Google's #1 Premier Partner in the UK and Ireland, Getech offers funded proof-of-concept programmes using devices you already own. Click here to register your interest in a Discovery Day at Google London.