The number of cyber incidents handled by ANSSI fell by 20% in 2022; yet, with regard to local authorities, the threat is not waning. Quite the contrary: at the presentation of the latest cyber threat panorama, the new director of ANSSI (January 2023), Vincent Strubel, indicated that 23% of ransomware victims were local authorities in 2022, compared with 19% in 2021. Cybercriminals "have been able to seize a multitude of opportunities offered by the generalization of digital uses that are often poorly mastered", asserted the ANSSI.

Local authorities are too little aware of the true scale of the threat. According to a study by Le Courrier des maires - SMACL assurances, risk awareness has certainly increased - 47% consider cyber attacks to be a major risk - but almost as many (44%) consider the risk to be minor, or even non-existent (6%).

Yet the stakes are high. As Rémy Février, Senior Lecturer at the Conservatoire National des Arts et Métiers (CNAM), points out, local authorities are intrinsically at the intersection of three worlds: political, economic and societal: "they face three major digital challenges on a daily basis: e-government, e-democracy and the dematerialization of calls for tender".

By being on the front line, even though they are sometimes insufficiently protected, local authorities run the risk of paralyzing entire regions.

Cybersecurity is everyone's business

Local authorities need to build a relationship of trust with their citizens. More and more individuals, professionals and associations are carrying out their administrative procedures online. An incident can break this bond for good. With the increasing dematerialization of data and the multiplication of digital tools, it is essential to make cybersecurity a priority.

However, cybersecurity is still too often reduced to an exclusively technical issue, and delegated to the Information Systems Department. Elected representatives and general managers are faced with the cost of implementing dedicated human resources: training staff, raising awareness among elected representatives and administrations. As a result, local public sector bodies are deprived of a first-level cyber audit and vulnerability analysis.

Security Rating®, the SaaS solution from Board of Cyber, enables local authorities of all sizes to assess their cyber maturity on an ongoing basis. This automated, rapid and non-intrusive solution focuses on six areas of analysis, including messaging, websites and vulnerabilities. Decision-makers, whether elected representatives, DGSs, DSIs or RSSIs, have access to a score out of 1000, which immediately gives them a clear idea of their exposure to risk. For example, a local authority with a basic rating (below 500 out of 1000) is five times more likely to suffer a cyber attack than one with an advanced rating (above 700).

In addition to the rating and the cyber audit, Security Rating® provides a dashboard, a risk map, a sector benchmark and a set of reports that facilitate the management of cyber risks. Finally, Security Rating® shares with business teams the detailed explanations, priority points for improvement, and operational recommendations that enable local authorities to rapidly improve their cybersecurity performance.

In this way, local authorities can carry out their public service missions, which require a high level of protection for personal data, citizens and public employees: issuing identity and civil status documents, applying for social assistance, access to employment and training, town planning procedures, associative commitments and citizen participation.

A cyber risk observatory

Thanks to Security Rating®, départements, regions and inter-municipalities can also monitor the cyber posture of all local authorities in their area at a glance. A multi-community dashboard can be used to visualize, raise awareness and support the entities that make up the territory.

In concrete terms, this Cyber Risk Observatory makes it possible to rapidly launch remediation campaigns on recurring vulnerabilities. It can also be used to initiate public policies to prevent cyber risk, by identifying critical and recurring vulnerabilities. Finally, it enables the success of these campaigns to be measured directly on the platform, thanks to the evolution of the rating. All in all, strengthening the cybersecurity of local authorities is the major added value of Security Rating®.

As Nelly Garnier, special delegate for the Smart Region, reminded us at the launch of the Observatoire de la performance cybersécurité des communes by the Île-de-France Region and Board of Cyber. "Our local authorities have a vital need for support in the field of cybersecurity. The Observatory will enable them to anticipate risks and better defend themselves". Nearly 800 local authorities have taken the measure of the cyber risk and are building, day after day, an ecosystem of trust.