Proximus Luxembourg: the advantage of a local SOC in protecting municipalities

Faced with the rise in cyberattacks, municipalities find themselves on the front line, often with limited resources to deal with them. In this context, the question of local solutions—capable of responding quickly and understanding on-the-ground realities—becomes central. Insights from David De Bartolo, Cyber Security Analyst at Proximus Luxembourg.

Why have municipalities become preferred targets for cyberattacks in recent years?

We are observing a clear increase in cyberattacks targeting municipalities, which is also reflected in growing interest in cybersecurity solutions such as SOCs (Security Operations Centers). This trend is largely explained by the digitalization of public services. Where much of the information was once stored on paper, it is now kept in IT systems or in the cloud. This shift to digital has mechanically expanded the attack surface, making data more accessible to attackers. Budget constraints must also be taken into account. Municipalities do not have the same resources as large corporations to invest in cybersecurity. As a result, their protection systems are often less advanced, which can make them more vulnerable to increasingly sophisticated attacks.

In addition, the data they hold is a prime target. It includes highly sensitive citizen information such as identity data, administrative records, and sometimes even health-related information. This data has high value on illegal markets, particularly for identity theft or targeted phishing campaigns. Its exploitation can have very real consequences, making it an especially attractive lever for cybercriminals.

What types of attacks are you seeing most frequently today?

We are clearly seeing an explosion of phishing attacks, with an increasingly marked trend toward targeted campaigns. In practice, this very often takes the form of emails that appear completely legitimate, for example with an invoice attached as a PDF file. The user downloads the document without suspicion, but it actually contains malware. Once opened, it can connect to external servers, retrieve information, or in some cases encrypt data through ransomware.

What has truly changed is the level of sophistication. A few years ago, these emails were relatively easy to spot, particularly due to spelling mistakes or awkward phrasing. Today, with the rise of artificial intelligence, messages are much better written, far more convincing, and therefore much harder to detect. Even links may appear trustworthy at first glance, while in reality they redirect to fraudulent websites that sometimes closely mimic official platforms. As a result, phishing remains one of the most widely used attack vectors, but also one of the most effective.

What is the concrete role of a SOC for municipalities, beyond simple system monitoring?

A SOC is not limited to passive monitoring. In practice, we centralize all events coming from IT infrastructures: system logs, server logs, workstation logs, and even security device logs. All this information is aggregated and analyzed in a single location to provide a global, real-time view of what is happening. From there, we apply detection rules that help identify suspicious behavior or attack patterns. When abnormal activity is detected, we can respond quickly, alert the municipality concerned, and most importantly support them in the initial response actions to take.

In the case of a ransomware attack, for example, this may involve isolating a machine to prevent further spread, while preserving the necessary elements for analysis. We also provide continuous incident tracking, from the first alerts through to full resolution. This allows us to understand the evolution of the attack, guide the response in real time, and support the municipality during the recovery phase. The goal is to ensure a fast, structured, and coordinated response to minimize impact as much as possible.

How does working with a local SOC provide a real advantage for municipalities compared to a foreign provider?

Choosing a local partner is not just about geographic proximity, but about operational efficiency in crisis situations. When a cybersecurity incident occurs, every minute counts. Being able to rely on teams located in the same country, or even just a few kilometers away, significantly improves response capability. Incident response teams can travel quickly if needed, interact directly with on-site stakeholders, and act without the delays inherent to providers based abroad, where logistics are inevitably more complex.

There are also practical constraints related to how teams operate. Time zones, for instance, can be a major obstacle: an incident occurring during the day in Luxembourg may happen in the middle of the night for a team on the other side of the world. In such cases, response capacity is not the same, particularly in terms of speed and coordination. Communication is another key factor, and not a minor one in such situations. Working in the same linguistic environment, with a shared understanding of Luxembourgish and European regulatory frameworks, helps avoid misunderstandings and speeds up decision-making.

Finally, there is an often underestimated aspect of local knowledge. A local SOC better understands the specificities of municipalities, their organization, their constraints, and their regulatory ecosystem. This proximity allows responses to be adapted in a much more precise and relevant way. In cyber incident management, this combination of responsiveness, contextual understanding, and direct coordination represents a very concrete daily advantage.

How does this relate to digital sovereignty challenges?

Today, a large part of cloud infrastructure still relies on American players such as Microsoft, Google, or Amazon. This dependence is not insignificant: recent outages have shown how many services can become unavailable in a cascading effect. This raises a fundamental question about the real control of data and infrastructure. At both European and national levels, initiatives are emerging to develop alternatives, but the work remains substantial and long-term.

The challenge is to find a balance. Solutions offered by major providers remain attractive, particularly for economic and technological reasons, but it is becoming essential to plan alternatives or fallback solutions. In this context, hybrid approaches are emerging. For example, Proximus offers a cloud based on existing technology, but fully operated and controlled internally, with the ability to be disconnected from the provider’s ecosystem.”