Public administrations are prime targets for cyber-attackers. In order to guarantee the smooth running of society and ensure the continuity of essential services to the population, the new European NIS2 directive requires them to take better account of the risks associated with IT security and to strengthen their cyber resilience. With this in mind, to turn constraints into opportunities, they need to embark on a continuous improvement process.
Faced with the evolution of cyber threats, the NIS2 directive adopted by the European legislator obliges players considered essential to the smooth running of society to strengthen their level of security. The new version of this directive has considerably broadened the scope of the regulations, forcing a greater number of organisations to adopt best practice in cyber security. Local authorities in particular are directly affected.
Local authorities, prime targets
Since the invasion of Ukraine by Russian troops, there has been an increase in the activity of cybercriminal groups backed by state powers,’ comments Aline Moyret, GRC Practice Manager at DEEP. Malicious actors are particularly targeting entities that manage sensitive data, have limited resources and carry out activities that are essential to the smooth running of society. Among those that fit this description are local authorities’.
The risks are considerable. Recovering land registry data, for example, enables attackers to generate profits, as this information can be highly valued on the darknet, but also to create real estate tensions on the markets. Several months ago, the city of Marseille was paralysed by ransomware. For an entire period, several services essential to the population were disrupted.
Disrupting the smooth running of society
By seeking to block or disrupt the smooth running of the activities of common administrations, attackers are seeking above all to undermine institutions and exert pressure on public authorities. ‘The threat is real in Luxembourg, as evidenced by the observations of the National Cybersecurity Competence Center (n3c.lu). For several months, there has been an increase in attacks by groups linked to Russia or North Korea. And public administrations are proving to be the most targeted entities’, adds Aline Moyret.
Faced with these risks, tougher regulations are forcing public authorities, particularly local authorities, to take the necessary measures to deal with cyber attacks and, in the event of an incident, limit the impact on their ability to deliver services. ‘In other words, local authorities must seek to strengthen their cyber resilience, by preparing for any possible incident and ensuring that they will be able to continue their essential activities,’ adds the expert.
Real awareness
For local authorities, these new requirements mean that they have to embark on a process of transition. ‘Most managers are now aware of what's at stake. They are also aware that they are part of a value chain, the weakest link in which determines the level of security of the entire ecosystem,’ continues Aline Moyret. They understand the need to strengthen their security posture, but deplore the lack of resources, both human and financial. This lack of resources, particularly within local authorities, often means that these issues are not properly understood.
Strengthening every element of the European ecosystem
Through NIS2, the legislator aims to strengthen the cybersecurity capabilities of a vast ecosystem throughout the European Union. To achieve this objective, each element of the ecosystem needs to be strengthened, by encouraging stakeholders to better assess the risks and take the necessary measures to prevent them. ‘We need to guarantee the continuity of activities that are essential to the smooth running of society as a whole, while being aware of the many interdependencies that exist between players in the European Union’, explains Aline Moyret.
New requirements
The directive imposes a series of requirements in order to get players on board. ‘For example, management bodies can be held liable in the event of failure. They must therefore have a good understanding of the risks and take the necessary measures to counter them’, explains Aline Moyret.
The regulations also define the minimum cybersecurity measures to be put in place. They also require entities to report any incidents they observe to the regulators in accordance with well-established procedures.
Taking risks as a starting point for better preparation
‘To meet these new requirements and strengthen their resilience, local authorities need to prepare themselves. I think it's important to see this directive as an opportunity, a lever for improving safety for society as a whole,’ adds the expert. In this context, each public authority must put in place security strategies and policies based on a risk analysis. To do this, they need to have a good understanding of their IT environment, be able to identify with all their teams what it is essential to protect, and determine the measures to be taken to optimise the protection of critical data. Beyond that, you need to strengthen your ability to manage incidents.
A continuous improvement approach
While these regulations may seem extremely restrictive, they must above all commit all those involved to a continuous improvement approach. A risk-based approach, which takes account of the context and vulnerabilities, enables priorities to be set and security needs to be better identified so that they can be met as effectively as possible,’ explains Aline Moyret. It also enables us to put in place the controls needed to detect incidents and know what is happening in our environment. The other major challenge is to prepare for a possible crisis, by proposing exercises and anticipating certain scenarios’.
For many years now, the POST group has been helping players to manage their risks and strengthen their security, offering service continuity and cyber resilience solutions. All this expertise has now been brought together within DEEP, to support private and public sector players and help them to continuously improve their security posture.
