The number of cyber incidents handled by ANSSI fell by 20% in 2022; however, the threat to local authorities remains as strong as ever. Quite the contrary: during the presentation of the latest cyber threat overview, the new director of ANSSI (January 2023), Vincent Strubel, indicated that 23% of ransomware victims were local authorities in 2022, compared to 19% in 2021. Cybercriminals ‘have been able to seize a multitude of opportunities offered by the widespread use of digital technologies, which are often poorly mastered,’ said ANSSI.
Local authorities are indeed too unaware of the real scale of the threat. This is highlighted in a study by Le Courrier des maires - SMACL assurances (https://www.courrierdesmaires.fr/article/cybersecurite-une-culture-du-risque-qui-reste-a-muscler-au-sein-des-collectivites.27712): awareness of the risk has certainly increased – 47% consider cyberattacks to be a major risk – but almost as many (44%) consider the risk to be minor or even non-existent (6%).
However, the stakes are high. As Rémy Février (https://www.latribune.fr/opinions/tribunes/cyberattaques-contre-les-collectivites-territoriales-le-pire-est-il-a-venir -944897.html), senior lecturer at the Conservatoire National des Arts et Métiers (CNAM), local authorities are intrinsically located at the intersection of three worlds: political, economic and societal: ‘They face three major digital challenges on a daily basis: e-government, e-democracy and the dematerialisation of calls for tenders.’
Being on the front line, while sometimes insufficiently protected, local authorities run the risk of paralysing entire territories.
Cybersecurity: everyone's business
Local authorities must build a relationship of trust with citizens. More and more individuals, professionals and associations are carrying out their administrative procedures online. An incident can permanently break this link. With the increasing dematerialisation of data and the proliferation of digital tools, it is essential to make cybersecurity a priority.
However, cybersecurity is still too often reduced to an exclusively technical issue and delegated to the Information Systems Department. Elected officials and chief executive officers are faced with the cost of implementing dedicated human resources: staff training, raising awareness among elected officials and administrations. Local public actors are thus depriving themselves of a basic level of cyber auditing and vulnerability analysis.
Security Rating®, Board of Cyber's SaaS solution, enables local authorities of all sizes to continuously assess their cyber maturity. This automated, fast and non-intrusive solution focuses on six areas of analysis, including messaging, websites and vulnerabilities. Decision-makers, elected officials, DGS, DSI or RSSI, thus have access to a rating out of 1000 that immediately gives them a clear idea of their exposure to risks. For example, a local authority that obtains a basic score of less than 500 out of 1000 is five times more likely to suffer a cyberattack than if it has an advanced score (above 700).
Beyond the rating and this cyber audit, Security Rating® provides a dashboard, risk mapping, sector benchmarking and a set of reports that facilitate cyber risk management. Finally, Security Rating® shares detailed explanations, priority areas for improvement and operational recommendations with business teams, enabling local authorities to quickly improve their cybersecurity performance.
Local authorities can thus carry out public service missions that require a high level of protection for personal data, citizens and public officials: issuing identity documents and civil status certificates, social assistance applications, access to employment and training, urban planning procedures, community involvement and citizen participation.
A cyber risk observatory
Thanks to Security Rating®, departments, regions and inter-municipal authorities can also monitor the cyber posture of all local authorities in their territory at a glance. A multi-local authority dashboard allows them to visualise, raise awareness and support the entities that comprise it.
In practical terms, this cyber risk observatory makes it possible to quickly launch remediation campaigns for recurring vulnerabilities. It also enables public policies for cyber risk prevention to be implemented by identifying critical and recurring vulnerabilities. Finally, it allows the success of these campaigns to be measured directly on the platform, thanks to changes in the rating. Overall, strengthening local authorities' cybersecurity is the great added value of Security Rating®.
This was reiterated by Nelly Garnier, Special Delegate for the Smart Region, at the launch of the Observatory for Municipal Cybersecurity Performance by the Île-de-France Region and Board of Cyber. ‘Our local authorities have a vital need for support in the field of cybersecurity. The Observatory will enable them to anticipate risks and better defend themselves.’ Nearly 800 local authorities have taken stock of the cyber risk and are building an ecosystem of trust, day after day.
