Anastasiya Kazakova, Public Affairs Manager
The risk of a breach and compromise of personal data due to a targeted cyberattack is on the rise in the run-up to the European Parliament elections to be held in May 2019. In this regard, one of the main tasks for local public administrations (LPAs) is to get their systems and personnel prepared for any and all possible kinds of cyberthreats.
However, since the GDPR came into force, many EU regulatory bodies responded negatively in a survey when asked if they were ready for the recently adopted EU data protection regulation, and that lack of preparedness may be explained by a lack of necessary funding and powers to implement certain procedures in accordance with the law. No doubt such a situation puts EU cyber-resilience at risk.
At the same time, another survey held by the Standard Eurobarometer revealed that 67% of European citizens worry that personal data left online could be compromised and used for targeted messages, and 61% are concerned about the possible risk of elections being meddled with through cyberattacks.
Given the above-mentioned possible EU cyber-resilience issues, plus the European public’s concerns regarding the cyber-sphere, it would appear logical to ask how it might be possible to make LPAs more cyber-resilient?
More about the problem
Since LPAs, due to staffing and budget constraints, have less resources for effective implementation of organizational and technical measures for strong information security, they’ll likely not be hiring dedicated personnel or training existing employees to improve cybersecurity awareness. What’s more, in case of a data breach, the authorities may have difficulty distinguishing personal data from other types of data, and issues over the proper determination of a data breach (what exactly does one constitute?).
Among the common reasons for a data breach are the following:
- emailing of messages containing personal data to the wrong addresses;
- loss or theft of IT devices (USBs, tokens, laptops, etc.);
- leaving documents (electronic or hard copies) with personal data in insecure places (e.g., hard copies left on desks; a computer not being locked before a workstation is left unattended, etc.);
- technical errors due to lack of a full understanding of the proper use of very complex computers;
- hacking and malicious attacks on computer networks.
Any of the above can lead to grave consequences as LPAs and their services usually possess large and often sensitive databases without a clearly established sole responsibility for keeping such data secure.
At the same time, it should be noted that despite the fact that computers and equipment become more and more complex, and information security is commonly considered as a mostly technical issue, most of the above-listed occur as a consequence of human errors and a lack of security awareness among employees. The 2018 UK Government Cyber Security Breaches Survey confirms that the human dimension of the problem is among the most common factors contributing to data breaches and improper handling of personal data.
In light of the above, LPAs are attractive targets for cybercriminals, especially prior to the European elections. And they are not immune to either data breaches or malicious attacks. Besides, LPAs are usually large organizations with complex supply chains that might contain additional vulnerabilities if the corresponding measures are not implemented. Also, if a data breach does occur, the GDPR has established severe fines for non-compliance – especially if a data breach causes damage to the wellbeing of citizens. And it goes without saying that such events might affect the issue of trust in, and the reputation of, LPAs.
Local governments’ lack of resources for beefing up their cybersecurity awareness and hygiene suggests that the private sector could assist in this, and such assistance would be welcomed by LPAs.
A clear solution from the private sector
Recognizing the issue, both academia and industry players have joined up with LPAs to create the COMPACT project with three key objectives:
- to increase security awareness and skills among LPAs;
- to foster information sharing between European LPAs; and
- to link LPAs with major EU initiatives and make them a part of the common public-private partnerships network.
The project is funded by the European Commission through a grant programmed under Horizon 2020. COMPACT specifically targets risks stemming from human error, and offers:
- risk assessment and monitoring tools;
- innovative training and gamification approaches; and
- information sharing services.
The project is being implemented in close cooperation with five European municipalities: Betrieb für Informationstechnologie Bremerhaven (Germany), Afragola and Bologna (Italy), Donostia San-Sebastián (Spain), and Amadora (Portugal). But all European LPAs will be able to access the comprehensive ecosystem with best practices, monitoring services and training sessions.
Kaspersky is taking part in the COMPACT project and has developed two security training sessions based on gamification principles: We created (1) the Kaspersky Interactive Protection Simulation (KIPS) scenario with a focus on GDPR-related incidents; and (2) the Cyber Safety Management Game (CSMG) to help LPAs process personal data properly.
The KIPS security training shows how risky and dangerous decisions can be that are made with a lack of knowledge of GDRP-related incident-response-and-risk-management measures in the event of a data breach. That’s why the KIPS training is developed to increase awareness of such security challenges as well as to better prepare for any kind of incident. The training also stresses how important teamwork and appropriate responsibility sharing can be and how they can help LPAs make better decisions for the security and safety of their citizens.
These cards are an illustration of the security mitigation measures that our KIPS game provides
The second training session – the Cyber Safety Management Game (CSMG) – covers LPAs’ daily operations and focuses on middle-management and other employees. It shows the importance of cyber hygiene in everyday situations by motivating participants to behave more consciously in the digital world.
By analyzing these common, seemingly benign situations and the respective decisions made therein, CSMG players learn ‘cyber hygiene’ and raise their security awareness in an engaging way
We recently organized a CSMG game for the Bologna municipality and it was a great success: we received very positive feedback from the participants, who told us that they’d recommend it to their colleagues to improve awareness of the simple yet very effective steps to significantly increase the likelihood of their never being an accidental cause of, or victim in, a security incident.
To sum up, the COMPACT project will develop an integrated platform with set of tools and services specifically tailored to LPAs to help them address the human factor in information security and privacy issues.
We believe that this example of public-private partnership might set a successful blueprint for other projects focused on innovation of technological processes and improvement of cyber-resilience of LPAs. There is a lot of work still to be done, but at least the first important steps have been successfully taken: steps toward better overall cybersecurity in Europe.