Cities, town halls, counties, regions… Organizations that serve the public, regardless of their size, are potential targets forcyberattacks. By targeting local governments, the government itself is implicitly in the hackers’ crosshairs.
In fact, in 2019, ANSSI recorded 92 cybersecurity incidents targeting municipalities and intermunicipal bodies. With the trend on the rise, 2020 was a record-breaking year in terms ofcyberattacks targeting local governments.Although most organizations, for legal reasons, rarely disclose the financial impacts, it is easy to estimate the costs incurred by these cyberattacks.
The tip of the iceberg: the most well-known costs
The Case of Ransomware
According to ANSSI, the costs and damage caused by ransomware can include:
Financial losses such as extortion. For example, a local government was hit by a ransomware attack that encrypted thousands of files. The ransom amount? Over 150,000 euros!
IT investigations, damage to IT infrastructure, and the restoration of IT services. For example, the city of Houilles (Yvelines), where a cyberattack in January 2021 cost the municipal budget 350,000 euros (source:actu.fr).
An operational loss or disruption—or even a shutdown lasting from a few days to several weeks—can prevent a city hall from providing its usual administrative services.
It is worth noting that studies show that, on average, it takes an organization about 196 days to detect a security incident, regardless of its industry. (Source: ANSSI and the Ponemon Institute: 2018 Cost of a Data Breach Study).
Damage to the reputation and, consequently, a loss of trust in the affected municipality, the intermunicipal body, or elected officials.
Certain instances of data loss and/or breaches of the integrity of sensitive or classified data can result in significant costs. It is important to remember that local governments store civil registry, identity, and identification data in their information systems!
For example, in 2020, six months after a French municipality was hacked, the hackers released 40 GB of the city’s data, including a database of 23,000 email addresses, the names and employee ID numbers of city employees, and all sorts of private information.
Finally, let’s consider the human costs affecting both employees and users: for example, the impact on employees’ wages if the application in question is part of the targeted information system.
It is also worth noting the potential collateral damage that could result if the ransomware were to be deployed across interconnected networks.
And that's just the tip of the iceberg.
The hidden costs: what are the least obvious expenses?
These include costs related to:
to the loss of productivity associated with going back to pen and paper. But also to the time lost due to information loss;
Above all, it is essential to keep in mind the costs associated with administrative penalties:
The local government is responsible for the processing of personal data. It must ensure that it has taken all necessary measures to prevent a cyberattack:
- On the technical side (antivirus, antispam, etc.)
- At the organizational level (training, information, etc.)
In the event of a cyberattack, if a breach is attributable to the local authority, the CNIL may impose the following sanctions on it:
- a reprimand against the municipality;
- an order to comply with the GDPR, including in the form of a penalty payment;
- a financial penalty of up to 20 million euros, depending on the severity of the violation and the circumstances surrounding it.
Toward a True Financial Strategy: Investing in Cybersecurity
The evidence is clear: the financial impact of a cyberattack is far greater than the cost of protecting information systems.
“As seen recently in Évreux, Bayonne, La Rochelle, Angers, Houilles … The question is no longer ‘if’ local governments will be targeted by cyberattacks, but ‘when’.” (source:cybermalveillance.gouv.fr).
We need to take action now: this money shouldn't end up in the hands of hackers!
Preparation and prevention: these are the two key elements that enable organizations to protect themselves from cyberattacks and strengthen their cybersecurity. Training your users helps protect your organization from the risks (and costs) associated with a cyberattack.
Investing in technical and organizational solutions is now a matter of urgency.
