4 min

Local authorities and the risks of cybersecurity

Local authorities are undergoing a far-reaching digital transformation, driven as much by regulatory obligations as by a desire to provide a better service to the public. This increasing dependence on digital technology, coupled with the different sizes of local authorities, creates excessive exposure to risk and some very real vulnerabilities.

Cyber risks - Fabrice Deblock - October 11, 2023

In 2020, almost 30% of local authorities fell victim to a ransomware attack, according to a Clusif study. Local authorities continue to underestimate this risk, however, with 62% of respondents rating it as low, even though the highest financial impact reported in the study was €400,000. The study also revealed that learning from incidents is not yet top of the agenda, with priority given to restoring service rather than analyzing the attack and gathering information.

According to the authors of the report: “Given the lack of information gathering on incidents, formal cyber crisis management is weak and lags behind practices found in companies. Only a quarter of local authorities have put in place business continuity or disaster recovery plans (BCPs/DRPs), and testing these does not happen very frequently.”

What are the main cybersecurity challenges facing local authorities? What support do they need? How can the State help them? These were the questions discussed at a round table entitled Local authorities and territories: trusted digital technology as a key to cyber resilience, organized as part of the Hexatrust summer schools on September 19 this year.

Raising awareness among employees… and elected representatives

“There are many challenges when it comes to cybersecurity, because local authorities are providing an ever-growing number of digital services that they need to protect. And when a cyberattack hits a local authority, as happened in Lille in March 2023, we of course have to defend the infrastructure, but we also have to ensure service continuity for the public,” says Florence Puybareau, Director of Operations at the Hauts-de-France Lille Métropole Cyber Campus.

The situation on the ground varies enormously. Local authorities have very different profiles, ranging from one extreme to the other, particularly in terms of size and skills. The first step in strengthening the defenses of a town hall, local authority or conurbation is to raise awareness and train staff. An organization’s people are the first line of defense against cyberattacks. “Many local authorities still believe they’ll be hit by a ‘stray bullet’, when a town hall employee casually clicks on a fraudulent link. Smaller local authorities are still a long way from fully appreciating how bad things can happen”, says Sylvain Lambert, CISO at Pôle Emploi and President of the rural mayors of Yvelines.

But employees are not the only people who need training. “We need to raise awareness not only among our staff, but also among our elected representatives, who are generally full of good intentions, but still have very little idea of the risks involved,” says Florence Puybareau. “Every elected representative has a different background and is not a cybersecurity specialist. An IT culture has started to take root in local authorities, but digital culture is still in its infancy. Cybersecurity vocabulary, acronyms and concepts can therefore sometimes be difficult to grasp,” says Frédéric Masquelier, mayor of Saint-Raphaël and co-chair of the Association of French Mayors’ security committee.

Another factor to consider is the management team (and its sometimes complex workings). “Elected representatives are like a chef in a kitchen, defining the broad outlines of the menu and making sure the dishes are in line with everything agreed. They work hand in hand with the management team, which plays a key role in IS security. So, we have two key players: the mayors, who determine the broad outlines, and the departmental general managers, who are responsible for practical implementation,” says Masquelier.

Need for reliable turnkey solutions

Another area of concern for local authorities is the lack of budget, time and technical skills. “In most cases, local authorities have very little budgetary leeway. So we need simple, approved solutions that we can understand, that come with technical support and that don’t cost us a lot of money”, explains Lambert. Emmanuel Carjat, Managing Director of AntemetA, agrees: “When you have a limited budget, you want highly automated solutions that are extremely simple to deploy.”

Talking specifically about the town of Saint-Raphaël, Masquelier says: “Every year we receive 35,000 letters, and not one of them has anything to do with how we manage our IT or digital services. All our municipal work revolves around issues relating to housing, household waste, roads, managing schools and canteens, and so on. Our teams are on call 24/7. We have a responsibility to look after cybersecurity, but that doesn’t mean that mayors are bad if they don’t look after it. It simply means we don’t have enough time. That’s why we need turnkey solutions, and professionals who are willing to support us.”

So, the question is: how can government departments help local authorities choose the right solutions from a small number of specialist vendors in this sector? This issue is particular important in the case of accounting software, which underpins the day-to-day operations of local authorities.

The real challenge for local authorities is how much they can trust these strategic tools, especially when they are hosted in the cloud. “Local authorities need trusted solutions, and that means approved solutions that mayors can choose with complete confidence, knowing that their technical departments have analyzed and validated them beforehand,” says Carjat.

When cybercriminals do strike, the Cyber Campuses stand shoulder to shoulder with local authorities to provide the help they need – always invaluable in such circumstances. “One of our key roles is to help raise awareness before an attack, which we do with all the local stakeholders. But when a cyberattack hits, it’s also our role to direct local authorities to the right people,” concludes Florence Puybareau.

Send this to a friend