An Unforeseeable Event with Far-Reaching Consequences
In 2023, a devastating cyberattack hit Südwestfalen-IT (SIT), an IT service provider supporting over 100 municipalities in North Rhine-Westphalia, Germany. The incident — marked by the compromise of critical IT systems — led to an unprecedented shutdown of local government services. Many citizens were left facing closed municipal offices. Particularly alarming was that the hacker group Akira successfully guessed passwords — without any two-factor authentication (2FA) in place. Even more concerning, according to the IHK Digitalization Survey 2022, only 40% of surveyed companies had an IT emergency plan in place. The ease with which institutions can be overwhelmed — and the uncertainty that follows — is a troubling prospect.
The Impact of the Attack
The attack on Südwestfalen-IT disrupted essential public services such as citizen registration offices, passport departments, and vehicle registration. Many municipalities had to revert to pen and paper. Uncertainty surrounding the integrity of data backups — and whether they had also been compromised — added to the complexity. SIT has since initiated numerous improvements.
But the bigger question remains: what can municipalities do now? Is 100% security even possible? No. Every new security system also presents new challenges for attackers. While some services could continue without IT support, others had to be shut down completely.
The key issue is whether an emergency plan exists — and whether it is up-to-date and effective. In an era when IT staff are still relying on printed contingency plans in desk drawers, it’s clear that outdated methods are no longer acceptable. Today’s IT incidents can impact virtually the entire organization. To remain operational during a worst-case scenario, integrated management systems offer a way to not only handle the consequences but also understand the scope of an attack.
What Would the Process Look Like with a Management System and Emergency Plan in Place?
While platforms like GRASP are not cybersecurity systems per se, they help organizations respond quickly and efficiently to cyberattacks. GRC (Governance, Risk & Compliance) and IRM (Integrated Risk Management) solutions like GRASP support risk assessments, reporting, and communication — with their real strength lying in incident management.
Incident management aims to clearly communicate who must do what by when in the event of a cyberattack. Ideally, this structured approach restores normal operations while minimizing business disruptions. By classifying and prioritizing incidents and using standardized processes, responsiveness and efficiency are greatly improved. GRASP securely documents every step and aligns with key security standards. Through this organized and automated approach, organizations improve their overall security posture and significantly reduce the impact of cyberattacks.
Conclusion
The cyberattack on Südwestfalen-IT clearly illustrates how vulnerable digital infrastructures can be. It highlights the urgent need for municipalities to invest in robust security systems and contingency planning. An integrated management system like GRASP can play a critical role in this effort..
What to Do When the Worst Happens
1. Speed and access to accurate information are essential!
2. There must be multiple ways to report incidents (in person, email, Teams, phone, IT ticket, IMS incident management).
3. Involve the Information Security Officer (ISO).
4. Inform all involved and affected parties.
5. Notify management.
6. Communicate with employees — and potentially suppliers, authorities, and regulators.
Emergency Management with GRASP in the Event of a Cyberattack
Phase 1: Analysis
First, the damage is assessed and affected systems are isolated to prevent further spread. Staff are informed so that everyone can react appropriately. This helps limit the damage and supports a rapid response.
Phase 2: Containment and Bridging
Systems like order processing may be taken offline, and orders can be recorded manually. A sandbox — a secure, isolated environment — enables the safe analysis of suspicious activity without affecting production systems.
Phase 3: Remediation
Security measures are reviewed and vulnerabilities are addressed. Malware must be completely removed. The system is then restored to ensure secure and stable operation. These steps are crucial for reestablishing security and preventing future attacks.
Phase 4: Recovery
Recovery begins with testing systems and servers to ensure everything functions properly. Once successful, normal operations resume. Simultaneously, employee awareness training should take place to improve understanding of security risks and prevent future incidents.
Phase 5: Post-Incident Processing
Manual records created during the outage must be entered into the system. Securing the status quo means documenting and backing up all relevant data and configurations — so that a known and stable state can be restored if needed later.
Phase 6: Reporting
Finally, all affected stakeholders should be comprehensively informed. All actions taken must be thoroughly archived. New measures — such as updated employee policies — should be tracked and evaluated for effectiveness, to ensure continuous improvement and readiness for future incidents.
