Cyberattacks can be dangerous for authorities if employees do not act correctly and/or IT systems are insufficiently protected. Therefore, both technical and organisational measures are needed to protect against cyberattacks. Some measures can be implemented by the communes themselves, or else they have to be discussed with external ICT service providers.
Don't forget, responsibility for cybersecurity always lies with the authority!
The communal executives have a duty when it comes to protection against cyberattacks. This also includes raising employee awareness. Communal clerks bear a lot of responsibility within the communal administration and increasingly have to make decisions on ICT issues.
It is advisable to provide special training in this area for communal clerks and to generally invest in security awareness training for employees and militia members. Organise this together with other communes or the cantonal communal organisations.
Designate people in your administration who are responsible for performing the respective tasks related to ICT system security. Also clarify the roles and responsibilities regarding emergency and crisis organisation, as well as the corresponding powers.
Interfaces to partners must be identified in advance and processes coordinated. Clarify with your ICT officer which security incidents you absolutely must be informed about. This applies to incidents that affect your own infrastructure, as well as those of the ICT service provider.
A good strategy against cyberattacks starts before the actual incident: established processes and escalation paths are vital to keep control.
Define which event log files are stored and for how long.
This is best done in a central location. Extensive log data helps to identify the origin of an attack, to obtain information about infected systems in one's own network and to take appropriate countermeasures. Due to the importance of log files, their data protection should not be neglected. Clarify questions about log files and the detection of attacks with your ICT officer.
Perform a data and information inventory and define elements that are particularly worthy of protection. Prepare a protection concept for these elements. For cantonal and communal data protection provisions, consult the websites of your canton and your communal association.
Think carefully about what information you disclose on your own website or in social media, as this is collected by criminals. In particular, the website should not list the details of the person in charge of the administration's financial transactions, who has e-banking access. As a matter of principle, no confidential information or data should be transmitted through anonymous channels, e.g. telephone or email. Confidential information should be consistently encrypted or sent by post to external parties.
Take care when using cloud services. These are used by many programs. Consider which data should be stored locally and which in the cloud. Never store unencrypted sensitive data in a cloud. Before using a cloud service, read the provider's general terms and conditions (GTC) and pay attention to the data protection provisions. Data may not be passed on, for example for commercial purposes. Check with your data protection supervisory authority.
Data protection tools and a list of the respective supervisory bodies can be found on the website of the conference of Swiss data protection commissioners, privatim:
Define binding password rules and enforce them consistently with employees. A password must have a minimum length of twelve characters and should consist of upper and lower case letters, numbers and special characters. Ideally, it should be randomly generated and not refer to personal information such as names or dates of birth.
Two-factor authentication provides additional protection.
It is essential to avoid using the same passwords. If it is difficult to remember multiple passwords, you should use a password manager. If you follow these rules, a cyclical password change is not essential. However, passwords must be changed at the latest when they could be known to third parties or when employees no longer work for the commune.
Malware often reaches your computer through email attachments disguised as supposed invoices or job applications. Block the receipt of dangerous email attachments. You can find a detailed, updated list of such dangerous attachments on Information on GovCERT. Ensure that no macros can be executed in Office documents of dubious origin. Discuss this with your ICT officer.
Define communication channels for employees to report suspicious incidents (email, computer, phone calls, etc.) and, if possible, activate a function for reporting dubious emails.
Also communicate with citizens in a mindful manner. Send emails solely in text format and use attachments sparingly. Avoid Office documents with macros and use PDF documents instead. Disclose links and do not link to websites that require a username, password or other data. Fraudulent emails are mostly written impersonally; write to citizens using their first name and surname if possible.
Make payments on a separate computer that you do not use to browse the internet or receive emails. Talk to your ICT officer about the possibility of making your online payments in a separate area from the rest of your applications (sandboxing) or in a dedicated, specially protected virtualised system.
Clarify all processes concerning payment transactions. These must be adhered to by employees in all cases, e.g. with the dual control principle and/or joint signature: in this case, payments must also be approved by another e-banking user before they are issued. This applies in particular if several employees have payment powers. Talk to your bank about possible security measures.
Document your ICT infrastructure in as detailed an inventory as possible. Only if you are familiar with your ICT infrastructure, services, computers, users, etc. will you know what you need to protect and monitor. In particular, you should know which systems are connected to the internet and thus publicly visible. These systems need to be especially well protected.
Define a process that governs regular data backups and adhere to it consistently. Consider how many days of data loss you can handle and store an additional copy of your backup separately (offline) and offsite. You and your deputy should practise importing backups from time to time so that you are familiar with the process in case of an emergency. Keep previous versions of the backup for a period of several months.
Obsolete software is a popular gateway for malware. Make sure your systems are up to date. This also applies to the content management system (CMS), i.e. the website management system for your web presence. Most content management systems offer an automatic update function that is easy to activate.
Install antivirus software on every computer and activate real-time protection.
Make sure it is updated regularly and runs a full system scan daily.
Do not protect remote access to your network with simple authentication (username and password). At the very least, use two-factor authentication or a secure connection via a virtual private network (VPN). This also applies to access by external ICT officers.
The above information has been taken from the NEDIK brochure "Guidelines for communes".
Helpful checklists are also available in this brochure:
Guidelines for communes (available in German and French)
Several points need to be considered if ICT security is outsourced to external service providers.
Last modification 29.12.2023
