Cyber threats: Municipalities should step up their preparations

October 16, 2024

A recent webinar organized by NATIONAL in collaboration with the Fédération Québécoise des Municipalités (FQM), and hosted by the author, brought together experts to raise awareness among municipal managers about the growing issues of cybersecurity. In the face of increasing cyberattacks targeting public organizations, a comprehensive strategy combining prevention, detection, rapid response, and transparent communication is essential.

"Municipalities are prime targets for cybercriminals," explained Xavier Trépanier of Palo Alto Networks. He added, "Cyberattacks against municipalities represent a very real and growing risk. According to experts, nearly 39% of government and municipal organizations have already been victims of a cyberattack, placing the public sector among the most targeted, just behind transportation and logistics. Although intrusion detection is becoming faster, attackers are using AI to enhance traditional techniques like ransomware, phishing, or data exfiltration to steal confidential citizen data or paralyze critical systems."

Obligations of Bill 25 for municipalities

Preparation in advance is crucial. "Municipalities must be aware of their legal obligations and implement appropriate protective measures," emphasized Me Natacha Boivin, partner, RPRP at Groupe TJC Inc. "This includes establishing data governance in compliance with Law 25 on the protection of personal information, adopting security policies governing the use of technologies, as well as encrypting and regularly backing up sensitive data."

Law 25 now imposes strict obligations in the event of a confidentiality incident, such as risk assessment of harm, notification of affected individuals if necessary, notification to the Commission d’accès à l’information, and maintaining an incident log. Failure to comply with these obligations can result in severe financial and reputational penalties. Municipalities must therefore stay informed about regulatory developments and ensure they strictly adhere to these legal requirements, regardless of their size.

Preparing ahead of time

An incident response plan should also be developed, including the creation of an assigned crisis cell comprising representatives from key departments such as IT, communications, human resources, and legal.

"In the event of an incident, it is recommended to call on a 'breach coach'," noted Roxanne Carrier, a data protection lawyer at Norton Rose Fulbright. "We play the role of conductor to coordinate the incident response, ensure compliance with legal obligations, and protect certain information through attorney-client privilege."

Managing communication is also crucial. It is important to prepare press release templates before a crisis, identify spokespersons, plan alternative communication channels, and be transparent with stakeholders. Poorly managed communication can exacerbate the crisis and permanently damage the municipality's reputation, affecting citizen and partner trust. Therefore, it is essential to train teams in crisis communication and establish clear and effective procedures.

"Crisis communication is essential, both internally to mobilize the troops and with external stakeholders such as citizens, the media, and relevant authorities," insisted Sabrina Duguay, Vice-President at NATIONAL.

During a major incident, a well-prepared communication strategy allows for quick and transparent information about the situation, prevents the spread of false information, and preserves the organization's reputation. A simulation of an attack can test and improve the intervention plan, but it must exist and be up to date. "Training is necessary to be ready to react quickly and effectively in the event of an incident," added Sabrina Duguay.

Avoiding headaches

Cybersecurity is a complex issue that requires a comprehensive approach involving all levels of the municipal organization. "A strong political will and committed leadership from the municipal administration are needed to implement a true cyber defense strategy," declared Sabrina Duguay. Allocating dedicated financial and human resources for crisis management is essential, as is establishing partnerships with external experts when necessary.

In the face of increasing cyber threats, municipalities must adopt a comprehensive action plan combining prevention, detection, rapid response, and transparent communication. Adequate preparation, including simulations, can prevent many headaches and significant costs associated with a major cyberattack that paralyzes essential services. Employee training, strengthening security measures, and a well-prepared crisis communication strategy are key elements to ensure the resilience and continuity of municipal operations in the face of growing cyber threats. has context menu

Written bySébastien BoudreauVice-President, Corporate Communications

Next

Written by Robert Lupien | Sabrina Duguay | Sébastien Boudreau

Cyber attack: Not if... but when
June 17, 2024