Cyber security in the public sector: an essential guide

Table of contents

• Why a cyber security guide for public administration
• An increasingly risky landscape
• The real-world impact of cyberattacks on public administrations
• The weak (and strong) link in the chain: the user
• Why a responsible approach is essential
• The first line of defense: credentials
• The 12 rules of the public administration cyber security guide, explained
• Useful attachments (to share with IT)
• Security is a team effort

---

Why a cyber security guide for public administration

The digital world offers enormous opportunities but it also brings a growing number of cyber threats. In recent years, hacker attacks targeting public administrations have increased exponentially, compromising essential services such as healthcare, payments, and university systems. A single wrong click, an accidentally opened attachment, or a weak password can be enough for a cybercriminal to block entire systems.

For this reason, the National Cyber Security Agency (ACN) has promoted a guide of best practices in cyber security, designed for all public sector employees.

It’s not a technical manual for IT specialists, but a collection of simple, everyday rules that every employee can apply to protect themselves, citizens, and institutions. Digital security, after all, depends not only on technology but above all on the human factor.

An increasingly risky landscape

The threat landscape has become complex and global. According to the latest annual report by the ACN, in 2024 there were 2,756 cyber incidents against public administrations and more than 50% originated from human error. This clearly shows that vulnerability lies not only in systems, but in employees’ daily behaviors.

International geopolitical crises have further worsened the situation: from the war in Ukraine to the conflict in the Middle East, military operations have had a direct impact on cyberspace, with cyberattacks that know no borders and increasingly affect Italian institutions as well.

The real-world impact of cyberattacks on public administrations

These are not theoretical risks. In recent years, Italian hospitals have suffered ransomware attacks that blocked bookings, disabled diagnostic equipment, and exposed patients’ medical data online. In December 2023, a cyberattack on public administration digital service providers caused delays in salary payments, severely affecting employees and families.

Universities and local administrations have also faced complete shutdowns of their IT systems, resulting in economic and reputational damage, as well as the paralysis of essential public services.

The weak (and strong) link in the chain: the user

Statistics confirm it: the most vulnerable point in cyber security “lies between the keyboard and the chair.” In other words the user. But this shouldn’t be seen as a limitation: that same user can become the first line of defense against attacks.

Cyber security is not just a technical matter. It rests on three levels:

• System governance, the rules and management strategies in place.
• Defense technologies, such as firewalls, antivirus software, and monitoring systems.
• Everyday behavior, the attentiveness and actions of individual employees.

Main digital threats

Every day, public sector employees are exposed to real risks:

• Phishing
  Fraudulent emails that mimic official communications to steal login credentials.
• Ransomware
  Malicious software that locks data and demands a ransom for its release.
• Credential theft
  Allows hackers to gain undetected access to internal systems.
• Email account compromise
  Infected or hijacked mailboxes are then used to spread new attacks within the administration.

A single fake link or malicious attachment can take an entire institution offline in just a few minutes.

Why a responsible approach is essential

Adopting good cyber security practices is not only about protecting systems it’s about ensuring:

• Citizens’ trust in public institutions;
• Continuity of public services;
• Regulatory compliance, avoiding administrative penalties and disciplinary actions.

Public administrations must act now not only by implementing secure technologies, but also by establishing clear behavioral rules and applying them consistently over time.

The first line of defense: credentials

Passwords and access tokens are the first shield against intruders. Weak or shared passwords are equivalent to leaving the office door wide open. It is essential to create strong, unique passwords and to change them periodically.

Special attention should also be given to the use of artificial intelligence. Increasingly, employees are pasting texts and documents into public chatbots, which risks exposing sensitive data to external systems that could reuse it.

The 12 rules of the public administration cyber security guide, explained

Below is a practical, operational overview of the 12 points of the guide. Each section is designed for public administration employees who want to minimize the risk of incidents without becoming a security expert.

For each point, you will find: why it matters, how to apply it immediately, common mistakes to avoid, and examples from everyday office life. Where useful, mini-snippets and commands are included that can be shared with IT to automate checks.

1. Always enable Multi-Factor Authentication (MFA)

Why it matters: Password theft is an everyday risk through convincing phishing, reusing the same password on breached sites, or keyloggers on outdated devices. MFA adds a second “lock” (something you have or something you are), making a stolen password useless.

Preferred methods, ranked by strength:

• FIDO2 / passkey (hardware or device-integrated security key)
  Resistant to phishing and interception; ideal for critical accounts (official email, administrative consoles, management systems).
• TOTP via app (e.g., Microsoft Authenticator, Google Authenticator, FreeOTP)
  30-second expiring codes that also work offline.
• Push with “number matching”
  App notification requiring entry of a number displayed on screen (prevents “approve fatigue”).
• SMS
  Better than nothing, but vulnerable to SIM swap and interception; use only if no other option is available.

What to do immediately

• Enable MFA on all PA accounts that support it (email, VPN, internal systems, cloud suites).
• Register at least two methods (e.g., passkey + TOTP) and print backup codes in a sealed envelope, stored according to your organization’s policy.
• Segment by role
  High-privilege roles (finance, healthcare systems, protocol, SUAP, payroll management) → mandatory and stronger MFA (FIDO2).

Mistakes to avoid

• Relying on a single second factor (personal phone without alternatives).
• Approving push notifications “without looking.”
• Failing to update the Authenticator app when changing smartphones → loss of tokens.

Example
An employee receives a fake email “from IT” requesting a password change and enters credentials on a cloned site. Without MFA, the attacker gains access and sets up forwarding rules to intercept messages; with MFA, access is blocked at the second step.

2. Use strong and unique passwords for work and personal accounts

Why it matters: A single external data breach (social media, e-commerce) can expose your password. If you reuse it for PA accounts, attackers can gain access effortlessly.

How to create strong passwords you can actually remember:

• Long phrase (passphrase)
  At least 16–20 characters, using unrelated words plus punctuation (e.g., “Owls!Trains^April?Rosemary”).
• Corporate password manager
  Generate and store different passwords for each service, with secure sharing between offices when necessary.
• Clear separation
  Work credentials in one vault; personal credentials in another. Never mix them.

Technical mini-rule (useful for IT)
Recommended policy: minimum length 14–16 characters, block the 1,000 most common passwords, only expire if compromise is suspected (avoids unnecessary periodic rotations), lock accounts after n failed attempts with progressive backoff.

Mistakes to avoid

• Sticking passwords on Post-it notes on your monitor or under your keyboard.
• Keeping a “passwords.xlsx” file on your desktop.
• Changing only a single digit when a password expires.

Example
A vendor suffers a data breach, and their list of credentials is leaked. If you reuse the same password for your official email, the attacker can try it and gain access on the first attempt.

3. Always lock your device when stepping away

Why it matters: An unlocked PC is like an office with the door wide open: anyone can send official emails, copy data, or install a trojan in seconds.

What to do immediately

• Habit
  Every time you get up → Win+L on Windows, Ctrl+Cmd+Q on macOS, Super+L on Linux.
• Automatic timeout
  Ask IT to set the screen lock to 5–10 minutes and require a password on wake.
• Privacy screen
  If you work at a counter or in an open space, consider privacy filters to reduce “shoulder surfing.”

Tip for IT (Windows GPO)
User Config → Admin Templates → Control Panel → Personalization → Password protect the screen saver (Enabled) and Screen saver timeout = 600.

Mistakes to avoid:

• “I’ll be just a moment”: even a few minutes are enough.
• Leaving your badge in the reader: it often unlocks automatically.

Example
In a meeting room, a visitor is left alone for two minutes with an unlocked laptop and plugs in a USB that opens a reverse shell. Locking the device would have prevented the action.

4. Always update your system without delay

Why it matters: Updates close known vulnerabilities that attackers can exploit automatically. Delaying them is like leaving your door open for weeks.

What to do immediately

• Schedule a regular “update slot” (e.g., every Tuesday at 12:30): restart, install patches, and check key applications.
• Update browsers and plugins (PDF readers, extensions), as they are common attack vectors.
• Follow the maintenance windows communicated by IT (WSUS, Intune, Jamf, etc.).

Technical tip (macOS)

Check update status:

softwareupdate -l

Install critical updates:

sudo softwareupdate -ia --critical

Mistakes to avoid

• “I’ll do it later”: often means never.
• Postponing restarts for weeks while leaving patches pending.

Example
A “zero-click” vulnerability in the email client is patched; those who don’t update remain exposed to the same exploit that others have already automated.

5. Install only PA-authorized software

Why it matters: Executables downloaded from unofficial sites or “freemium” apps can contain adware or backdoors. A single unauthorized tool can open a gateway in the network.

What to do immediately

• Use official catalogs (Software Center, Company Portal/Intune, Jamf Self Service). If a tool is missing, request its inclusion.
• Verify the source
  Check the manufacturer, digital signature, and hash.
• Avoid “cracks”
  Besides being illegal, they are often vehicles for malware.

Verify the signature (macOS)

spctl --assess --type execute -v /Applications/AppName.app

codesign -dv --verbose=4 /Applications/AppName.app

Mistakes to avoid

• “A colleague sent it to me on WhatsApp”: an unreliable channel.
• Installing unapproved browser extensions: they can read everything you browse.

Example
A “free” PDF converter downloaded from a cloned website injects a script that intercepts credentials entered in the browser.

6. Use only authorized media and devices

Why it matters. USB drives are a classic vector (malware, BadUSB, data theft). A personal external drive can introduce dormant ransomware that activates as soon as it finds network shares.

What to do immediately

• Use only USB sticks and external drives provided or approved by the organization, and ensure they are encrypted (e.g., BitLocker To Go or hardware-encrypted devices).
• Do not connect personal smartphones to your work PC just to “charge the battery.”
• Request a secure channel for file exchange with suppliers (SFTP, a secure document portal, or PEC with encrypted attachments).

Tip for IT (Windows, BitLocker To Go)
Policy criteria: require automatic encryption for removable media, enforce a strong password, and store recovery keys in escrow (AD / Azure AD).

Mistakes to avoid

• Bringing an old but “convenient” USB from home.
• Lending removable media to colleagues in other offices without tracking their use.

Example
A free giveaway USB from an event contains modified firmware: when inserted, it emulates a keyboard and executes invisible commands.

7. don’t trust urgent emails or suspicious links

Why it matters. Phishing uses urgency and authority to make you act without thinking: “act now,” “account blocked,” “mailbox full,” “payroll rejected.”

What to do immediately

• Check the real sender (not just the display name)
  Look at the domain, spelling mistakes, and homoglyph domains (e.g., “ì” instead of “i”).
• Hover over the link
  Does the real URL match the displayed destination?
• Be wary of compressed attachments or double extensions (e.g., “.pdf.exe”).
• Verify through an alternate channel
  Call the colleague or supplier using a known phone number.
• Report to your SOC/IT team and include the message headers.

Useful header clues (typical excerpt):

Received: from mail-123.fakehost.com ...

Authentication-Results: spf=fail; dkim=none; dmarc=fail

An SPF/DKIM/DMARC “fail” is a strong indicator of fraud.

Mistakes to avoid

• Opening unexpected invoice attachments.
• Forwarding a suspicious email to others you multiply the risk.

Example
An email “from Treasury” reports a payment anomaly with a “verify” link that leads to a fake login page identical to the real portal. After entering credentials, the attacker intercepts access and creates unauthorized transfers.

8. If you lose a device, notify the security team immediately

Why it matters. Smartphones and laptops contain credentials, emails, MFA tokens, and management apps. Every minute that passes increases the window of opportunity for an attacker.

What to do immediately

• Notify the IT/security contact right away: location, time, device type, and the last data or systems you accessed.
• Initiate remote lock and wipe (MDM/Intune/Jamf) and rotate keys (passwords, tokens, certificates).
• Report to the authorities if required by policy (useful for traceability and any mandatory data-breach notification).

Quick checks to run with IT

• Was the device encrypted (BitLocker/FileVault)?
• Were MFA and device unlock PINs enabled?
• Were BYOD devices connected to PA data? Assess whether selective wipe measures apply.

Mistakes to avoid

• Waiting in the hope it will “turn up.”
• Trying to track or recover it yourself in risky places.

Example
A smartphone lost on a train had the work email app configured: a remote wipe and immediate token revocation prevented access to the mailbox and the PEC archive.

9. Avoid connecting to unsecured public wi‑fi

Why it matters. hotel, café and station networks can be controlled by third parties. through mitm attacks, arp spoofing and malicious captive portals, your data can be intercepted.

What to do immediately

• Prefer tethering from your phone (with a strong PIN) or use eduroam / your organization’s network if available.
• If you must use a public network:
  • Connect only if the PA VPN activates automatically at startup.
  • Check the certificate of any portal that asks for credentials.
  • Avoid accessing critical systems until you’re on a secure channel.
• Disable automatic connection to open networks.

Tip for it
Configure always‑on VPN + controlled split‑tunneling; block traffic to PA services if the vpn is not active.

Mistakes to avoid

• Trusting networks with bait names (“freeairport‑wifi”, “pa‑guest”) that are not official.
• Accepting tls certificates with red warnings and choosing “proceed anyway”.

Example
A fake “microsoft 365 login” portal appears in a hotel and harvests credentials. an always‑on vpn would have forced encrypted traffic before any login.

10. Report any anomaly immediately

Why it matters. serious incidents almost always show early warning signs hours or even days before: unexplained slowdowns, flashing windows, antivirus turning off on its own.

Signals not to ignore

• Prompts that appear and disappear, cpu or fans at full speed while idle.
• Error messages on the Trusted Platform Module or disk encryption.
• New mail forwarding rules you didn’t create, emails “from you” that you don’t recall sending.
• Certificates or plugins installed without request.

How to report properly (concise template)

• Subject
  PC anomaly – office / department – date – name surname
• What you see
  “Browser opens on unknown site 3 times in 10 minutes”
• When it started
  “Today 14:25”
• Wwhat you were doing
  “Opening .docx attachment from PEC”
• Screenshots/logs attached
  Yes/no

Mistakes to avoid

• Restarting repeatedly hoping the problem “goes away”.
• Using unauthorized “cleanup” tools that destroy traces useful for analysis.

Example
Prompt reporting of a Word-crashing attachment allows the SOC to block the campaign before it spreads further.

11. Use work email only for official activities

Why it matters. The institutional mailbox is an asset of the organization: it has logs, retention policies, legal and privacy obligations. Using it for commercial services increases spam, profiling, and exposure (more data about you = more credible phishing).

What to do immediately

• Use the PA email only for office procedures and communications (PEC for official documents).
• For authorized external tools (e.g., procurement platforms, INPS/INAIL portal) follow the channels indicated by your IT/legal office.
• For technical newsletters, request a dedicated alias or a “service” account.

Mistakes to avoid

• Signing up for shopping sites, social media, forums with your PA email.
• Automatic forwarding to personal mailboxes.

Example
Signing up for a price comparison site with a PA email → database sold to third parties → targeted spear-phishing campaigns referencing your office.

12. Never enter sensitive data into artificial intelligence chats

Why it matters. Many public generative AI services store inputs and outputs for improvement purposes. Pasting confidential documents into a chatbot can constitute a breach of official secrecy and create a future risk of information leakage.

What not to share (ever)

• Health, judicial, or financial data of individuals.
• Non-public personal data of citizens or colleagues.
• Source code, internal system architectures, credentials, VPN configurations.
• Documents and drafts of tenders, resolutions, or unpublished measures.

Secure alternatives

• If your organization provides a “governed” AI platform (on-prem or with a data processing agreement), use it only according to policy: logging, auditing, anonymization.
• Apply redaction/masking: replace real data with placeholders (“[NAME]”, “[IBAN]”) and store the mapping separately.
• For translations or rewriting of non-sensitive text, consider internal tools or PA-contracted services that exclude training usage.

Mistakes to avoid

• Asking a public chatbot to “explain this resolution” by pasting the full PDF.
• Pasting database query outputs containing identifying fields.

Example
An employee, to “save time,” pastes a list of beneficiaries’ tax codes into a public LLM. The organization must report a data breach, with reputational damage and potential fines.

Useful attachments (to share with IT)

Monthly employee checklist (excerpt):

• Have I verified that MFA is active on email, VPN, and document suites?
• Have I changed or strengthened weaker passphrases in the password manager?
• Is the screen lock timeout set to 5–10 minutes?
• Have I completed system and critical application updates?
• Are only approved catalog software installed on my PC?
• Am I using only encrypted and authorized storage devices?
• Have I reported suspicious emails to IT?
• Am I familiar with the procedures in case of device loss?
• Do I connect offsite only with VPN active?
• Do I know how to report anomalies (contacts, format)?
• Do I use my PA email only for institutional activities?
• Do I avoid entering sensitive data into unmanaged AI tools?

Quick incident reporting template (1 minute):

• Reported by: Name Surname – Office – Internal phone
• Date/Time: …
• Observed symptoms: …
• Action taken before/after: …
• Attachments: screenshots/logs (yes/no)

Security is a team effort

Cyber security is not only the responsibility of IT experts it’s a collective duty. Every public administration employee, through small daily actions, can help protect citizens’ data and ensure continuity of services.

The vademecum is not just a list of rules; it’s a practical guide that turns awareness into action. Applying it makes the PA more resilient, reliable, and responsive to the community’s needs.

---

Questions & answers

1. Why is a cyber security vademecum important for the PA?
   Because it provides simple, concrete rules that reduce the risk of human errors, which remain one of the main causes of attacks.
2. Do cyber attacks really target Italian public administrations?
   Yes, in 2024 there were 2,756 recorded attacks, with serious consequences for healthcare, universities, and local services.
3. What is phishing?
   It’s a technique using fake emails or messages to steal users’ data and credentials.
4. What is ransomware?
   Malware that locks systems and demands a ransom to restore them.
5. Why are passwords so important?
   They represent the first barrier against unauthorized access.
6. What role does artificial intelligence play in security?
   If used carelessly, it can be a risk: sensitive documents pasted into public chatbots may resurface elsewhere.
7. What is multi-factor authentication (MFA)?
   A system that adds a second code or device confirmation on top of your password.
8. Can I use public Wi-Fi for work?
   Only if strictly necessary, and always with a secure VPN enabled.
9. What should I do if I lose my company PC or smartphone?
   Immediately notify the security team to minimize the risk of breaches.
10. Is it risky to use work email for personal purposes?
    Yes, it exposes the administration to spam, tracking, and targeted attacks.