Table of Contents
How much does a security policy cost the public sector? Does heavy investment really pay off in the face of cyber threats? Find out why investing in cybersecurity is necessary for public bodies.
Today, cyber-attacks are a worrying threat to all business sectors, and the public sector is no exception. Central government administrations, state operators, local authorities, hospitals, and healthcare organizations are all prime targets for cybercriminals. These attacks can paralyze the operation of public services and represent a severe threat to the protection of the personal data for which they are responsible.
Yet, despite a growing awareness of the risks, investment in cybersecurity in the public sector appears to need to be increased. In 2022, 6.6% of the public sector budget was earmarked for cybersecurity, but the level of IT security maturity was estimated at just 36.9% (source: Wavestone, March 2022). Let’s take a closer look at where the problem lies.
The impact of cyber-attacks in the public sector
Digital transformation has affected all public-sector structures, from hospitals and schools to town halls and ministries. While digitizing services and deploying connected solutions were essential, this far-reaching transformation was only sometimes accompanied by adequate security. On the contrary, it has created opportunities for cybercriminals.
In a 2023 report, the National Cybersecurity Agency of France (ANSSI) notes a significant increase in cyber threats, particularly ransomware attacks. The podium of the principal victims is shared between:
- by small and medium-sized companies (40%).
- Public administrations (23%).
- Public health establishments (10%).
This highlights the continuing vulnerability of public sector information systems to increasingly sophisticated cyber threats. Despite this growing threat, cybersecurity needs are not always clearly defined within public institutions, even though the threats are well known. Indeed, European CERTs, notably ANSSI, regularly share documents to raise awareness of cyber risks among public players. Most recently, CERT-FR published a summary of the threats targeting public services.
The misjudged costs of a cyber attack
Cyber-attacks in the public sector entail substantial costs, but estimating them remains complex due to the diversity and multiplication of attacks. The city of Lille (France), for example, was attacked in March 2023 but only managed to estimate the cost of the incident 6 months later — around 1.7 million euros.
According to a study by Asterès published in June 2023, the 385,000 successful cyberattacks against French organizations in 2022 generated a total cost of 2 billion euros. These costs include:
- 887 million euros are attributable to direct costs incurred to remedy the attacks ;
- 888 million euros in ransoms paid to cyber criminals ;
- 252 million for production losses, plus 7 million euros for lost working hours.
The private sector bears a large part of the financial burden of cyber-attacks in France, accounting for 3/4 of the total cost, while the public sector bears a quarter.
Extensive damage
Attacks can lead to the interruption of services and affect the functioning of the affected organization. The loss of sensitive data entails considerable expense and is detrimental to all users.
The reputation of public entities is thus put at risk. Attacks expose security flaws and can erode public confidence in the ability of local governments to protect their data and interests. Finally, legal and compliance costs pile up. Cyber-attacks trigger notification obligations and fines by compromising citizens’ personal data privacy.
The return on investment of a cybersecurity policy
Despite this, most public bodies are not ready for cybersecurity, or even feel that they are not concerned. For example, a study by the french Groupement d’intérêt public (GIP) Cybermalveillance, published in May 2022, reveals that 65% of municipalities with fewer than 3,500 inhabitants believe they are safe from cyberattacks. Budgetary, time, and resource constraints are often cited.
A necessary investment
The responsibilities and obligations of the public sector market cybersecurity make this an issue at a national level. At the end of 2020, the French government launched the cybersecurity component of the France Relance plan, steered by the ANSSI — our security testing operations are eligible for this funding ; here’s a story about our bug bounty with French local authorities. This plan represents an investment of 136 million euros, providing the financial impetus needed to strengthen the cybersecurity of public sector beneficiaries significantly and sustainably. Public sector bodies must overcome financial and technological challenges to guarantee data security and public confidence.
Real returns on investment
Cybersecurity investments in the public sector are a strategic imperative. They protect citizens and their data and generate significant and varied returns on investment over the long term:
- Preventing disruption and managing security incidents more effectively help maintain the continuity of public services. The remediation costs after a cyber-attack are considerably higher than preventive investments.
- Maintaining user confidence. Users need to know that their personal data and sensitive information are safe in the hands of the public sector. Loss of trust can have long-term repercussions.
- Regulatory compliance/protection of sensitive data. Public institutions must comply with strict privacy laws, and fines for non-compliance are significant.
- Strengthening government credibility. The aim is to build national and international confidence, thereby improving diplomatic and economic relations.
Read also: Public sector: cyberthreats, challenges, and consequences
Yogosha, OffSec for public-sector cybersecurity
For the public sector, cybersecurity represents an unavoidable investment, given the risks involved. Yogosha supports public sector players in countering these risks. As specialists in Offensive Security (OffSec), we offer a range of cyber approaches:
- Pentest as a Service: a security audit launched in less than a week for a flat fee. Uncover most of the vulnerabilities in a product and assess its security level at a given point in time, or schedule several pentests throughout your development life cycle as part of a DevSecOps approach.
- Bug bounty: a hunt for in-depth vulnerabilities with the elite hackers of the Yogosha Strike Force. Identify the most critical vulnerabilities on a pay-per-result basis. No vulnerabilities = no expenses, you only reward exploitable results.
As an expert in cybersecurity, Yogosha supports all types of public bodies in protecting their information systems. Identify your vulnerabilities through Pentest and Bug Bounty operations, and centralize and manage your cybersecurity strategy from a dedicated platform.
The plus: Yogosha supports high schools, universities, and regional authorities by setting up educational Bug Bounty programs to help train the security engineers of tomorrow.
Ministries, local authorities and agencies are prime targets for cyber-attackers. Be a step ahead and strengthen your security now.