Organizations have experienced a surge in cyberattacks, with attackers using more sophisticated methods to exploit vulnerabilities. Increasing cybersecurity guidelines and regulations stem from breaches with a high impact on society, bringing more focus on themes such as supply chain risk.

With SolarWinds fresh in mind and fresh in the news, we expected that this breach in particular would be a wake-up call for governmental institutions to work on their concentration risk. The uncomfortable truth, unfortunately, is the opposite in some parts of the world.

At the end of October/beginning of November, threat actors successfully breached the main data center of the IT supplier of 72 German cities and municipalities, Südwestfalen-IT (SIT). Security employees found encrypted data on the servers, indicative of a ransomware attack. Containment procedures were initiated to minimize impact and ensure that the malware did not spread beyond affected systems. This resulted in limited or no service availability to the affected municipalities such as Plettenberg, Markischer Kreis, Olpe, Siegen, and Soest. The city of Plettenberg had to write on its Instagram, “[We] cannot yet predict how long the system failure will last.” One week after the attack, most municipalities were still out of function, and the authorities had to use alternative channels to deliver government services. With a demand for ransom, this could lead to up to several weeks to be resolved.

While these German cities recover, it shines another spotlight on the dangers of concentration risk. It also highlights why NIS2 and DORA focus so much on making sure that impacted entities understand their resilience to supply chain-related issues and risks. Even organizations that are not in scope of NIS2 and/or DORA compliance should be focusing on sharpening up their management of concentration risk in the supply chain.

Security leaders can use Forrester’s report, The Ransomware Survival Guide, to define a ransomware strategy. In addition, Forrester’s Zero Trust guidance, Mitigating Ransomware With Zero Trust, can help organizations mitigate ransomware risk. And nowadays, it is almost impossible to operate without using third parties, so security leaders need to evaluate these risks with a practical lens: Don’t Wait For The Next Global Crisis To Respond To Concentration Risk. For more insights on third-party risk management platforms, visit our latest landscape, The Third-Party Risk Management Platforms Landscape, Q4 2023, to help you make better decisions.