Cyberattacks against local governments are on the rise. To help fight back, an EU-funded project has developed and tested a suite of tools and services for preventing and effectively reacting to these attacks. Based on these results, local public administrations in Europe will benefit from a more robust cybersecurity programme that will ultimately help protect citizens and their precious data.
© alexdndz, #335334941, source:stock.adobe.com 2020
The cybersecurity landscape is changing and changing fast. Not only are businesses and financial institutions being targeted, cybercriminals are now seeing local public administrations (LPAs) as an attractive target. Typically, LPA cyberattacks involve the disclosure of personal data or the hacking of city infrastructures.
Cyberattacks against local governments have become alarmingly common, says Paolo Roccetti, head of the cybersecurity unit at the Engineering Group, a global company that develops and manages innovative digital solutions for businesses. According to one report, about one quarter of local governments surveyed said they were experiencing attacks of one kind or another sometimes as often as once every hour.
The problem is that the vast majority of LPAs are ill-equipped to mitigate these threats. Less than half the local governments surveyed said they had developed a formal cybersecurity policy, and just 34 % had a written strategy for recovering from a breach, adds Roccetti.
This is where the EU-funded COMPACT project comes in. We wanted to empower LPAs to become the main actors in their cyber-resilience improvement processes by providing them with tools and services for removing security bottlenecks, explains Roccetti, who serves as the projects coordinator.
A suite of integrated tools and services
To achieve its objective, COMPACT prototyped over 20 integrated tools and services tailored towards the unique cybersecurity needs of LPAs. For example, to help LPAs with risk assessment, the project developed tools for evaluating and monitoring exposure to cyberthreats.
These solutions enable LPAs to prioritise the adoption of preventive and reactive countermeasures, allowing them to maximise the use of available resources for cyber protection purposes, remarks Roccetti. Furthermore, affordability was at the centre of all our work, and the iterative approach we adopted allows LPAs to adapt their cybersecurity improvement plans using already available resources.
As to cyber monitoring, researchers developed an innovative solution that LPAs can adopt to continuously monitor critical infrastructure. By comparing data gathered from the infrastructure with information from threat intelligence feeds, operators can quickly spot anomalies and immediately implement the necessary recovery actions.
COMPACT also created solutions that LPAs can use to raise awareness about cybersecurity within their organisations. Our game-based training focuses not only on specific cyberthreats, but also on the psychological and behavioural factors exploited during a cyberattack, adds Roccetti. At the same time, because the game is interactive and fun, the learning experience is more meaningful.
Tested and validated
The COMPACT suite of solutions has been tested and validated by more than 800 people from five European cities. According to Roccetti, these tests confirmed the solutions ability to improve LPAs resilience against cyber incidents.
Most data breaches in public administrations are due to miscellaneous errors, a lack of preparedness, and the inability to react in a timely and effective manner, he concludes. By addressing all three of these factors, COMPACT has the potential to significantly reduce the cybersecurity threat that LPAs face today.
The exploitation of COMPACTs results remains ongoing. For example, one of the projects partners has integrated some of the COMPACT concepts into its commercial offering. LPAs can utilise these commercial solutions to safely manage their digital transformation. Another partner is incorporating the projects work into the dedicated training it offers to LPA staff and executives. Finally, a spin-off company will pursue the commercial exploitation of the cyber monitoring tools prototyped during the COMPACT project.
The project has also published best practices and guidelines that LPAs can use to quickly increase the robustness of their cybersecurity programme.