Cyber security is making progress inside the buildings of the public administration. The Agid 2022 data confirm the positive trend already recorded last year, and they do so with remarkable results: the PA sites considered safe, that is, which use a correct Https protocol, have more than doubled compared to 2021, and even quadrupled compared to 2020 .
The numbers
As required by the three-year plan for information technology in the public administration, the Agency for digital Italy has monitored from 2020 to today the use of suitable Https protocols and the update status of the Cms (web content management software that do not require specific programming skills) on Public Administration sites. This year, there are 9,022 secure sites, compared to 4,149 in 2021, while the percentage of sites with serious problems has decreased from 53% to 41%, whose Https configuration is easily circumvented. The number of poorly configured sites, i.e. having an Https configuration that is not suitable for modern standards, is also decreasing: from 23% in 2021 to 11% this year. The sites that are not really equipped with Https then represent a very small slice: 1% of the total.
Don’t let your guard down
A positive trend which, however, shouldn’t let our guard down, warn Giovanni Amato and Saverio Mastropierro, curators of monitoring: «There has certainly been an improvement, but this shouldn’t reassure us at all. The fact that the situation has improved doesn’t mean that it’s going well, but that compared to before when we were zero, we’re now at a good point. For example, as far as Cms are concerned, almost half of the domains are not updated to the latest release».
Updated software (few)
And in fact the data speak for themselves: only a quarter of the sites use a version of the Cms with the latest update, and despite the growth being 8% compared to 2021, it must be taken into account that 2021 compared to 2020 had recorded a drop in 52 percent. However, it was not possible to carry out the survey on all sites: «A Cms normally displays its version – they explain -. If it doesn’t, it means that a security plugin has been used that disables version exposure to prevent someone from scanning for an outdated version and taking advantage of it. So from a certain point of view the fact that 21% of the Cms monitored did not expose the version can be understood as a positive value: it means that they had the foresight to install a plugin to protect themselves from any bots, automatic tools in able to scan and detect the version to exploit the vulnerabilities of an old CMS and compromise it».
A push from Google
In general, however, the momentum remains positive. Accomplice on the one hand Google, which penalizes domains without a secure protocol and has therefore indirectly pushed the institutions to update the Https protocols of their sites; on the other, Agid monitoring itself, with which the administrations took note of their situation and undertook corrective actions where necessary. Monitoring that from next year will pass into the hands of the newborn Acn, the National Cybersecurity Agency, established by decree law 82/2021.