The numbers ring out like a warning. Of the 1,700 elected officials and local agents interviewed in communities with less than 25,000 inhabitants, 45% admit to having been victims of computer attacks whose cause remains unknown. Even more worrying, u1 in 10 administrations say they have suffered malicious intrusionsthis rate doubling for municipalities with more than 5,000 inhabitants.
Behind these statistics the portrait emerges of territorial institutions poorly prepared to face the digital challenges of the 21st century. However, there is no shortage of examples just for this year: between the colossal hacking of Free, the attacks during the Olympics this summer or the LockBit offensive on the Simone-Veil Hospital in Cannes, the landscape of Cybersecurity has rarely been so shaken on national soil.
A vulnerability masked by false confidence
The study reveals a striking paradox: 53% of communities say they have satisfactory IT protection, a perception up six points compared to 2023. This confidence is based on the installation of very basic equipment : antivirus (88%), backup systems (85%) and firewalls (61%).
However, only 14% of them consider themselves really ready to face a cyberattack. These tools are certainly essential, but they only constitute a first line of defense and are absolutely not sufficient to guarantee complete protection.
Half have no business continuity or recovery plan (PCA/PRA), while 28% are even unaware of the existence of such procedures in their structure. However, they are essential documents which detail the actions to be implemented to maintain or restore the activities of an entity in the event of a major IT incident. A sort of rescue plan to get out of the storm.
Unsurprisingly, the consequences are seriouss: 40% of targeted communities suffered service interruptions following an attack, not counting data theft and destruction which concerned 12% and 15% of them respectively.
Budgetary strangulation, a reflection of a lack of understanding of the issues
The roots of this global vulnerability lie in a worrying financial reality. Seven out of ten communities are functioning with an annual IT budget of less than 5,000 eurosmore than three quarters of whom spend less than 2,000 euros on their digital security. Such a limited IT budget, and more particularly such a limited security budget, suggests numerous flaws in the defense systems of the communities concerned.
Two thirds of administrations do not consider, moreover, no increase in these resources for the coming year. Indeed, cybersecurity can be seen as a long-term investment, less of a priority than more immediate expenses and local elected officials are not always aware of the importance of this aspect.
A real budgetary paralysis, which is precisely accompanied chronic underestimation of threats : 44% of structures, particularly municipalities with less than 300 inhabitants (49%), consider the risk of cyberattacks to be low, or even very low.
Faced with this observation, communities call for triple action. 45% of them believe that technical support for their teams should be strengthened, 54% would like to improve the security toolset and 62% are calling for better awareness of their teams.
And the State in all this? It could impose performance obligations on communities in terms of cybersecurity, while leaving them a certain latitude in the choice of means to be implemented. Of course, establishing such a framework would require the release of sufficient subsidiestax credits or calling on European funding. The feeling of being abandoned by the State is a historical recurrence for small municipalities in France, ideally, it would be good practice for history not to repeat itself.
- Nearly 45% of small communities have suffered cyberattacks without identifying the origin, revealing a significant systemic vulnerability.
- Most communities say they are well protected, but lack emergency plans and advanced tools.
- With budgets of less than 2,000 euros, they underestimate the risks and struggle to prepare.
