Cybersecurity concerns all municipalities

France’s digital transformation is gathering pace on all fronts, especially in small communes that were not necessarily equipped for it until now. Ways of working are changing, and teleworking is becoming increasingly important in these times of health crisis. This period opens up new opportunities for smaller communities that are computerizing: they can offer their constituents online services.

At the same time, this transformation means taking into account the risks associated with an Internet presence and new ways of communicating by email. While larger towns may have a dedicated IT team to deal with these issues, smaller towns may not have the resources to hire people to provide this service.

How can smaller town halls manage their IT security in the absence of an Information Systems Security Manager?

What are the risks of cyber attacks?

Whether they originate externally via a website, a cell phone… or internally via elected officials’ USB sticks, agents’ light passwords… cyber-attacks remain risks not to be neglected.

There are three main types of attack on local authorities: website defacement, ransomware and compromised e-mail accounts.

In the first instance, this may involve a link from the commune’s showcase site to other erroneous content, or content that discredits the commune, such as a pornographic site. Ransomware, which is usually transmitted by e-mail, is designed to block one or more user workstations, locking all data until a ransom is paid. This type of attack can be very costly for a municipality. The third category to note is the compromise of e-mail accounts, which often takes the form of phishing, the aim of which is to steal logins and passwords from its victims. Hackers are not lacking in imagination, and other attacks are well known, such as denial of service, which consists of saturating a site by making it unavailable due to a large number of simultaneous requests.

The consequences of cyber-attacks can be, first and foremost, the impossibility for a local authority to fulfill its public service missions vis-à-vis its constituents (due to sabotage of their IT equipment, for example). Hackers could also access and disclose confidential data (such as civil status information). On the other hand, these malicious maneuvers also cause financial losses for local authorities, as well as damaging their image in the eyes of the public.

Regardless of the type of cyber-attack, local authorities are obliged to address cybersecurity issues in order to organize themselves in advance and be in a position to manage a crisis as effectively as possible.

How should local authorities organize themselves?

Local authorities are invited to launch 4 projects to protect themselves against cyber-attacks.

The^1st task will be to raise staff awareness, on a regular and ongoing basis, because we need to keep in mind that people are at the heart of these IT security issues. It’s essential that our staff embrace the change in behavior required to protect user data, and implement a genuine digital security policy. Best practice guides are particularly useful if they are concise, punchy and entertaining. In this respect, www.cybermalveillance.gouv.fr provides users with practical information sheets on security issues relating to cell phones, passwords, phishing…

The^2nd project to be launched will involve drawing up an inventory of the local authority’s information systems, to ensure that its missions are carried out in compliance with digital security rules. This means clearly identifying hardware, software and network connections. It should list all the players involved, whether directly or indirectly, in the city’s IT process chain: residents, agents, elected representatives, service providers, suppliers, subcontractors, etc. See the ANSSI guide: Cartographie du système d’information, Guide d’élaboration en 5 étapes.

The^3rd project concerns the contractual clauses of IT service contracts, in order to identify IT security risks such as reversibility, data backup or restoration. Local authorities should be aware that the delegation of IT security responsibilities does not imply a transfer of responsibility. Both the delegator and the delegatee are liable.

Finally, the^4th project to be implemented will be thedevelopment of a plan and/or procedure to be followed in the event of a crisis linked to a cyber attack. It is important to anticipate the management of a computer attack in order to limit its scope and enable continuity or recovery of activity for the municipality, as quickly as possible. In the event of digital sabotage, the first step is technical resolution, which can take from a few hours to several weeks. To help you resolve these incidents, you can find a list of service providers at www.cybermalveillance.gouv.fr. Secondly, the victim municipality must be able to ensure continuity of public services. That’s why having backups of your data can be crucial, especially in the event of a ransomware attack. Last but not least, communication about the events that have taken place is essential in order to provide the best possible support to all those involved and to the target audience.

How should local authorities prepare technically?

Before purchasing or installing any additional IT security tools, it’s a good idea to have an audit carried out. He will be able to highlight any vulnerabilities in your information system, with a view to implementing improvements without delay. Here’s where the main vulnerabilities lie and what to watch out for:

– Websites: the use of strong passwords is important, and software and operating systems associated with websites need to be updated regularly. The use of a WAF can quite easily solve several problems.

– Wifi: access passwords need to be strong enough, so use WPA2 encryption as a minimum. It’s essential to partition Wifi networks between internal and external users.

– E-mail: secure users’ mailboxes, and wherever possible, implement encryption for e-mail exchanges. Altospam’ s email protection solution addresses these two points (and others) to enhance the security of electronic conversations. Use TLS-secured versions of the POP3 and IMAP4 protocols.

– Servers and user workstations: applications must be backed up and updated on all workstations and servers.

– Mobile devices: they must also incorporate anti-virus protection and be kept up-to-date.

– The Cloud: working with French service providers that respect the RGPD and digital security is decisive.

– IT infrastructure: the municipality needs to install a firewall (the first digital security lock), and be vigilant about the entry points represented by copiers, fax machines, scanners and surveillance cameras.

If, despite all the precautions you’ve taken, you unfortunately find yourself the target of a cyberattack, you should immediately contact the appropriate authorities, such as the police and gendarmerie, CNIL, ANSSI and www.cybermalveillance.gouv.fr. You can also find out what to do first in the event of a ransomware attack: https: //www.altospam.com/actualite/2020/11/que-faire-en-cas-dattaque-par-rancongiciel/

What’s more, you can consult the complete Guide to Cybersecurity on the AMF website, from which we have prepared this summary.