Are French local authorities vulnerable to cyber threats?

Local Governments and Cybersecurity: A Current Overview

A network of very small rural towns

First and foremost, it is important to fully understand the landscape of the French local governments covered by the study commissioned by Cybermalveillance.gouv.fr.

70% of French municipalities with fewer than 25,000 residents (the survey's target group) have fewer than 1,000 residents.

Most of these municipalities are rural, typically employ fewer than 10 staff members, and therefore have fewer than 10 computers.

Consequently, they obviously do not have dedicated IT security staff who can guide them in this area.

Cyberthreats Underestimated by Small Municipalities

Because of their size and structure, many local governments continue to underestimate their exposure to cyber threats.

According to the survey, nearly half of the municipalities with fewer than 300 residents consider themselves to be at low risk.

Paradoxically, many local governments feel vulnerable to cyber threats. Only 14% of municipalities believe they are sufficiently prepared in the event of an attack.

Image:AvantdeCliquer.com

 

Local governments that are regularly targeted by cyberattacks

In fact, local governments are among the primary targets of cybercriminals. According to the study, 10% of municipalities report having been the victim of at least one attack in the past 12 months.

Common attack vectors include downloading viruses, visiting infected websites, and unpatched security vulnerabilities.

But it is indeed phishing that, unsurprisingly, is the most commonly used method for breaching information systems, accounting for 30% of cases. This figure masks an even higher reality, as 45% of respondents do not know the cause of the attack they suffered.

Elected officials and staff members, who are often unaware of the risks, become easy targets. Inadequate training exacerbates the situation, leaving these individuals vulnerable to phishing attempts.

 

AvantdeCliquer helps local governments combat phishing. Click here to learn more.

 

Communities that are unevenly and inadequately protected

Promoting cybersecurity fundamentals

Given these findings, the first line of defense is, of course, to invest in cybersecurity systems.

A large majority of municipalities have antivirus software, firewalls, and a backup solution—the three essential pillars of cybersecurity.

However, too few of them implement a strong password policy, and even fewer use two-factor authentication.

Keep personal and professional use separate

The study also notes that the use of personal devices is widespread, particularly for budgetary reasons.

Personal devices used in the municipal setting include cell phones, computers, USB drives, and email.

It is clear that the line between personal and professional life is not always clear-cut when it comes to digital tools.

However, this could be a vulnerability exploited by hackers.

Training elected officials and local government employees in cybersecurity

Awareness is key to building communities’ resilience against cyber threats. Training elected officials and local staff in best practices can significantly reduce the likelihood of successful cyberattacks.

The training helps instill a culture of cybersecurity among users. They will then be able to identify suspicious emails and warning signs (unknown sender, spelling mistakes, suspicious links) in order to avoid falling victim to phishing attempts.

Raising awareness among elected officials and staff is, in fact, cited as a top priority by 62% of respondents. This is despite the fact that 73% have already received at least one training session on IT security.

This clearly underscores the importance of ongoing, rather than one-off, awareness efforts to effectively combat cyber threats.

Local governments' reluctance regarding cybersecurity

Budgets are too tight to invest in cybersecurity

The lack of funding for IT partly explains the shortcomings of local governments in terms of cybersecurity.

In fact, 73% of municipalities allocate less than €5,000 per year to IT equipment, and 77% spend less than €2,000 per year on the security of these systems.

Even more concerning is the fact that an increase in funding for cybersecurity does not appear to be on the agenda for the overwhelming majority of local governments.

In fact, only 10% of municipalities plan to increase spending in the coming months. Of those, 90% intend to invest in hardware solutions, while only 31% plan to invest in awareness-raising initiatives.

It is also worth noting that it is municipalities with more than 1,000 residents that plan to invest in cybersecurity. The overwhelming majority of very small municipalities have no intention of doing so.

A lack of skills among elected officials and staff

However, budget constraints are not the main reason preventing local governments from better protecting their information systems.

In fact, a lack of knowledge is the main issue in nearly half of the cases. This finding is supported by the fact that 70% of respondents do not feel capable of assessing the suitability of cybersecurity solutions.

It is also worth noting that for 16% of respondents, cybersecurity is not a priority, and for 9%, the issue simply does not concern them.

As we can see, awareness remains uneven, especially in small towns. This is why support and outreach are key factors.

A need for support in the face of cyber threats

As we have seen, most small and medium-sized municipalities do not feel equipped to handle cybersecurity issues.

They therefore turn primarily to their IT service provider and local government agencies (the Gendarmerie, the Police, and the Prefecture) for advice.

Only 13% of local governments view the one-stop resource Cybermalveillance.gouv.fr as their primary point of contact. Yet it plays a vital role in helping them secure their IT systems and providing guidance in the event of an attack.

Cybermalveillance.gouv.fr can, in particular, connect applicants with certified service providers.

Finally, it should be noted that this service is primarily used by municipalities with more than 10,000 residents, and remains very rarely used by smaller municipalities (9%).

Conclusion: Making Cybersecurity a Priority for Local Governments

Cyberthreats are not inevitable. By investing in awareness campaigns—particularly regarding phishing—and by allocating appropriate resources, French local governments can improve their resilience against cyberattacks.

However, the challenge remains significant, particularly for small communities that continue to underestimate their vulnerability and lack the financial and human resources to protect themselves effectively.

It is, however, urgent to treat cybersecurity as a critical priority, even for small municipalities. Elected officials, staff, and service providers all have a role to play in anticipating, detecting, and responding to threats.

Communities cannot afford to remain vulnerable in an increasingly digital world. Awareness, combined with concrete action, is the key to a more secure future.

 

Source: Survey conducted by OpinionWay for Cybermalveillance.gouv.fr from August 26 to October 4, 2024

 

Download the free guides on cybersecurity for local governments by clicking here.

FAQ: Cybersecurity for Local Governments

 

1. Why are local governments targeted by cyberattacks?

Local governments handle sensitive data and are often inadequately protected due to limited budgets and a shortage of qualified cybersecurity personnel. These vulnerabilities make them prime targets for cybercriminals, particularly through attacks such as phishing and ransomware.

 

2. What are the main consequences of cyberattacks for municipalities?

The main consequences of cyberattacks are:

• The destruction or theft of sensitive data
• The interruption of IT services
• A financial loss
• A blow to the community's reputation

 

3. How can small towns protect themselves on a limited budget?

Even with limited resources, it is possible to strengthen cybersecurity:

• Install antivirus software and a firewall.
• Provide regular training for elected officials and local government employees on best practices (including raising awareness about phishing, which is the primary entry point for hackers).
• Implement two-factor authentication for access to sensitive systems.
• Use the one-stop resource at Cybermalveillance.gouv.fr.
• Contact AvantdeCliquerto conduct a vulnerability assessment (Phishing Pentest)

 

4. Why is it important to train elected officials and staff on cybersecurity?

Elected officials and staff are often the first line of defense against cyberattacks. Tailored training enables them to:

• Identify fraudulent emails and suspicious links.
• Respond quickly if an attack is suspected.
• Practice safe habits every day.

 

5. What are the first steps to take in the event of a cyberattack?

In the event of an attack:

1. Immediately disconnect the affected systems from the network to minimize damage.
2. Notify your IT service provider and the relevant authorities (Gendarmerie, Cybermalveillance.gouv.fr).
3. Never pay a ransom if you are hit by ransomware.

 

6. Are there any resources or tools available to support municipalities?

Yes, there are several resources available:

• The Cybermalveillance.gouv.fr website offers tools, guides, and support in the event of an incident.
• Certified service providerscanoffer tailored solutions.
• Some regions or the state offer grants to improve cybersecurity in local communities.

 

7. What are the essential tools and best practices for securing municipal IT systems?

Basic tools include:

• An antivirus program that is updated regularly.
• A firewall to protect the network.
• A solution for regular data backups.
• Two-factor authentication to prevent unauthorized access.
• A policy for strong passwords
• Ongoing awareness of phishing
• Use equipment designated exclusively for work purposes (computers, phones, USB drives, email addresses, etc.).

 

Contact us to find out how AvantdeCliquer can protect your municipality from cyber threats.

CIOs, CISOs, DPOs, request a free demonstration of the fully automated phishing awareness solution: