The Clusive Cyber Specialists Club has just released its recent report, "Computer Threat Investigation and Security Practices."
For this 2020 edition, the study focused on the cyber threats encountered on a daily basis by French organizations, in particular the communities and security practices of the latter.
This article will also interest you: What if the problem with cybersecurity was its lack of woman?
Although sampling does not appear to be so expressive (202 cases studied), it remains a benchmark. Indeed, it is particularly comprehensive, with inclusion, the 14 themes of ISO 27002:2013, dealing with the security of computer systems and networks, as in previous years.
It should also be noted that such a Clusif approach is not a first. Indeed, the Club of IT Security Professionals is studying for the third time how Territorial Communities manages their cybersecurity through their day-to-day operations.
But this study in particular, only 202 communities have been approached since the beginning of 2020. The results that were obtained were adapted to reflect the reality corresponding to the distribution of its organizations. In this data analysis, several specialists from all sides participated.
It is worth remembering that the implementation of PSI programmes is on the rise, with concrete support of almost 70% of the branches. It has also been noted that despite this progress it still has difficulty distinguishing it from the directions of information systems.
In addition, the function of security manager of the information system has become increasingly present in the majority of local authorities, which is also a corollary to the PSI. However, it should not be overlooked that it remains quite difficult for some organizations to consider it to be a full-time position, which unfortunately often places the RSSIs, in fairly comfortable positions, not having real freedom of speech.
While there is some improvement in the security of information systems, it should also be said that it is not a priority for everyone. For good reason, financial and even human resources are relatively lacking. The budget generally for rent to computer security poses serious problems of sustainability and adaptation. But on this point, we should recognize an increase from previous years.
In addition, it should be noted that the 2020 edition is one of the first in a series of studies carried out by the Club of Professionals on the Management of Cybersecurity in Local Authorities since the General Data Protection Regulation came into force. In view of this aspect, the following results were observed:
– 34% of the local authorities surveyed believe that they are in contact with the RGPD, compared to 59% who claim to be partially in contact.
– 75% of these organisations believe that they have designated a DPO, which is also mandatory under the European standard, 10% say they are in progress at the level of this designation. However, in 51% of cases, there was direct connection to the branch, and outsourcing in 19 percent of the communities surveyed.
– Only 57% of communities have made full or partial identification of services requiring some certification, which describes a mixed, if not negligent, respect for the general safety repository.
– 87% of the organizations following this study unfortunately indicate that they do not follow up with TBSSI, although in a sense there has been an increase in audits, given the previous study. In fact, 56% of these communities reported doing it at least once every 2 years.
– 51% said they had evolved at the level of their IT security organization because of regulatory requirements.
In short, the consideration of the issues of computer security unfortunately remains very variable. This is in relation to the size of the communities as well as the communities of municipalities that unfortunately do not keep up with the same pace. But we can still recognise that the arrival of European data protection regulations has had a boost in terms of improving security practices. Even if it must be admitted the delay is still important
"The threat to information is still linked to information security, which still depends for a large part on either the "attacks" that these different actors have experienced within their IS, or the laws and regulations they have. In 2018, I wrote: "The time for "umbrella" security policies, which are formalized to give themselves good conscience, is generally over! How I wish it had been heard… But it is not too late: Gentlemen, Mr. Leaders, understand that information security is essential today, it is about the survival of your organizations, in terms of the issues they carry and the data for which they are responsible… concluded Lionel MOURER, For the CLUSIF Working Group.
Now access an unlimited number of passwords: