Lessons Learned for Local Cybersecurity: Practical Implications of a Public Sector Cyberattack for Small and Medium-Sized Municipalities

Johanna Maria Schmidt; Stanislav Mahula; Joep Crompvoets

doi:10.59490/dgo.2025.994

Authors

Johanna Maria Schmidt Faculty of Social Sciences, Katholieke Universiteit Leuven (KU Leuven), Belgium https://orcid.org/0009-0009-9530-3832
Stanislav Mahula b Faculty of Social Sciences, Katholieke Universiteit Leuven (KU Leuven), Belgium https://orcid.org/0000-0003-0568-9604
Joep Crompvoets Faculty of Social Sciences, Katholieke Universiteit Leuven (KU Leuven), Belgium https://orcid.org/0000-0003-1077-597X

DOI:

https://doi.org/10.59490/dgo.2025.994

Keywords:

Cybersecurity, local cybersecurity strategy, local digital governance, public sector cyberattack

Abstract

Cybersecurity is an integral part of digital public governance and aims to ensure the confidentiality, integrity and availability of sensitive citizen-, business-, and government-related data. Given the increasing complexity of cyberthreats, driven by the digital transformation of the public sector and emerging technologies, local governments need robust and resilient cybersecurity strategies. This exploratory study examines the October 2023 cyberattack on Südwestfalen IT (SIT), an IT service provider for over 70 municipalities, cities and districts in Germany. As a result of this ransomware attack, for several months, public services were severely disrupted for over 1.6 million citizens. Against the backdrop of the particular challenges that local governments face in managing their cybersecurity, this study identifies lessons that small and medium-sized municipalities and cities derive from this cyberattack. The paper adopts a multi-method qualitative exploratory research approach, combining key informant interviews and document analysis through reflexive thematic analysis. Key findings highlight the importance of thorough implementation of cybersecurity standards such as network segmentation, tighter monitoring practices and two-factor authentication. To mitigate cluster risks, other key lessons include increased focus on top-down decision-making to enforce non-negotiable cybersecurity standards, given the need for IT service collaboration and the use of economies of scale resulting from the resource constraints of smaller local administrations. Further practical implications include an increased focus on staff training and implementing change management strategies to reduce resistance to reform at various stakeholder levels. This exploratory study of the SIT’s recent cyber incident also serves as an example for small and medium-sized municipalities that are not part of cooperation networks, encouraging them to reconsider their cost-benefit analysis of independent cybersecurity strategies versus collaborative frameworks. Overall, the study offers valuable insights into the implications of cyberattacks for local administrations of small- and medium-sized municipalities. As such, it aims to contribute to developing more equitable and resilient cybersecurity strategies.

Downloads

Download data is not yet available.

References

Abbott, A. (2004). Methods of discovery: Heuristics for the social sciences. Norton & Company. Braun, V., & Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research in Psychology, 3(2), 77–101. https://doi.org/10.1191/1478088706qp063oa

Braun, V., & Clarke, V. (2021a). Can I use TA? Should I use TA? Should I (not) use TA? Comparing reflexive thematic analysis and other pattern-based qualitative analytic approaches. Counselling and Psychotherapy Research, 21(1), 37–47. https://doi.org/10.1002/capr.12360

Braun, V., & Clarke, V. (2021b). One size fits all? What counts as quality practice in (reflexive) thematic analysis? Qualitative Research in Psychology, 18(3), 328–352. https://doi.org/10.1080/14780887.2020.1769238

Braun, V., & Clarke, V. (2022). Thematic analysis: A practical guide. SAGE.

Brockhues, A., & Boeselager, F. (2024, June 17). Zero Day in Südwestfalen. Deutschlandfunk. [link]

Bryman, A. (2012). Social research methods. (Fourth edition). Oxford university press.

Bundesamt für Sicherheit in der Informationstechnik. (2023, February 1). IT-Grundschutz-Kompendium. [link]

Denzin, N. K. (2017). The Research Act: A Theoretical Introduction to Sociological Methods (1st ed.). Routledge. https://doi.org/10.4324/9781315134543

European Agency for Cybersecurity. (2024). ENISA THREAT LANDSCAPE 2024. [link]

European Union. (2022, December 27). Consolidated text: Directive (EU) 2022/2555 of the European Parliament and of the Council of December 14 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)Text with EEA relevance. [link]

Frandell, A., & Feeney, M. (2022). Cybersecurity Threats in Local Government: A Sociotechnical Perspective. The American Review of Public Administration, 52(8), 558–572. https://doi.org/10.1177/02750740221125432

Fusi, F., Jung, H., & Welch, E. (2023). Technological vulnerability and knowledge of cyber-incidents: threats to innovativeness in local governments? Public Management Review, 1–27. https://doi.org/10.1080/14719037.2023.2250362

Harry, C., Sivan-Sevilla, I., & McDermott, M. (2025). Measuring the size and severity of the integrated cyber attack surface across US county governments. Journal of Cybersecurity, 11(1). https://doi.org/10.1093/cybsec/tyae032

Hatcher, W., Meares, W. L., & Heslen, J. (2020). The cybersecurity of municipalities in the United States: an exploratory survey of policies and practices. Journal of Cyber Policy, 5(2), 302–325. https://doi.org/10.1080/23738871.2020.1792956

Hossain, S. T., Yigitcanlar, T., Nguyen, K., & Xu, Y. (2024a). Local Government Cybersecurity Landscape: A Systematic Review and Conceptual Framework. Applied Sciences, 14(13), 5501. https://doi.org/10.3390/app14135501

Hossain, S. T., Yigitcanlar, T., Nguyen, K., & Xu, Y. (2024b). Understanding Local Government Cybersecurity Policy: A Concept Map and Framework. Information, 15(6), 342. https://doi.org/10.3390/info15060342

Hossain, S. T., Yigitcanlar, T., Nguyen, K., & Xu, Y. (2025). Cybersecurity in Local Governments: A Systematic Review and Framework of Key challenges. Urban Governance. https://doi.org/10.1016/j.ugj.2024.12.010

Hunter, D. J., Marks, L., Brown, J., Scalabrini, S., Salway, S., Vale, L., Gray, J., & Payne, N. (2016). The potential value of priority-setting methods in public health investment decisions: Qualitative findings from three English local authorities. Critical Public Health, 26(5), 578–587. https://doi.org/10.1080/09581596.2016.1164299

Ibrahim, A., Valli, C., McAteer, I., & Chaudhry, J. (2018). A security review of local government using NIST CSF: a case study. The Journal of Supercomputing, 74(10), 5171–5186. https://doi.org/10.1007/s11227-018-2479-2

Krischer, H. (2023, December 29). Seit einem Hackerangriff ist in Südwestfalen nichts mehr, wie es einmal war. Welt. [link]

Magnusson, E., & Marecek, J. (2015). Doing Interview-based Qualitative Research: A Learner’s Guide (1st ed.). Cambridge University Press. https://doi.org/10.1017/CBO9781107449893

Masuku, M. M., Mlambo, V. H., & Ndlovu, C. (2022). Service Delivery, Governance and Citizen Satisfaction: Reflections from South Africa. Global Policy and Governance, 11(1), 96-. https://doi.org/10.14666/2194-7759-11-1-6

Meza, O. D. (2015). Local Governments, Democracy, and Inequality: Evidence on the Political Economy of Inequality-reducing Policies in Local Government in Mexico. State and Local Government Review, 47(4), 285–296. https://doi.org/10.1177/0160323X15627852

Möller, D. (2023). Guide to Cybersecurity in Digital Transformation: Trends, Methods, Technologies, Applications and Best Practices (1st ed. 2023.). Springer Nature Switzerland AG. https://doi.org/10.1007/978-3-031-26845-8

National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29; p. NIST CSWP 29). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.CSWP.29

Ndumbe, S.I., Velikov, P. (2024). Government Strategies on Cybersecurity and How Artificial Intelligence Can Impact Cybersecurity in Healthcare with Special Reference to the UK. In: Jahankhani, H., Bowen, G., Sharif, M.S., Hussien, O. (eds) Cybersecurity and Artificial Intelligence. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-031-52272-7_9

Norris, D. F., & Mateczun, L. K. (2022). Cyberattacks on local governments 2020: findings from a key informant survey. Journal of Cyber Policy, 7(3), 294–317. https://doi.org/10.1080/23738871.2023.2178319

Norris, D. F., Mateczun, L., Joshi, A., & Finin, T. (2019). Cyberattacks at the grass roots: American local governments and the need for high levels of cybersecurity. Public Administration Review, 79(6), 895–904. https://doi.org/10.1111/puar.13028

Nowak, D., & Distel, B. (2024). Trust in Times of Cyber Crisis: Understanding Organizational Trust Repair in the Public Sector. In M. Janssen, J. Crompvoets, J. R. Gil-Garcia, H. Lee, I. Lindgren, A. Nikiforova, & G. Viale Pereira (Eds.), Electronic Government (pp. 134–149). Springer Nature Switzerland.

OECD. (2023). OECD Regional Outlook 2023: The Longstanding Geography of Inequalities. OECD. https://doi.org/10.1787/92cd40a0-en

Preis, B., & Susskind, L. (2022). Municipal Cybersecurity: More Work Needs to be Done. Urban Affairs Review (Thousand Oaks, Calif.), 58(2), 614–629. https://doi.org/10.1177/1078087420973760

Roumani, Y., & Alraee, M. (2025). Examining the factors that impact the severity of cyberattacks on critical infrastructures. Computers & Security, 148, 104074-. https://doi.org/10.1016/j.cose.2024.104074

r-tec. (2024, January 19). Abschlussbericht Security Incident Südwestfalen-IT. [link]

Sabbi, M., Osei, A., Wigmore-Shepherd, D., & Ahlin, E. (2024). Minding the local slot: municipalities as drivers of trust in public institutions. Canadian Journal of African Studies, 58(2), 301–325. https://doi.org/10.1080/00083968.2024.2339490

Savaş, S., Karataş, S. Cyber governance studies in ensuring cybersecurity: an overview of cybersecurity governance. Int. Cybersecur. Law Rev. 3, 7–34 (2022). https://doi.org/10.1365/s43439-021-00045-4

Shandler, R., & Gomez, M. A. (2022). The hidden threat of cyber-attacks – undermining public confidence in government. Journal of Information Technology & Politics, 20(4), 359–374. https://doi.org/10.1080/19331681.2022.2112796

Srinivas, J., Das, A. K., & Kumar, N. (2019). Government regulations in cyber security: Framework, standards and recommendations. Future Generation Computer Systems, 92, 178–188. https://doi.org/10.1016/j.future.2018.09.063

Südwestfalen IT. (2024a). Das ist die Südwestfalen-IT. [link]

Südwestfalen IT. (2024b). Leistungen. [link]

Südwestfalen IT. (2024c). Unsere Gremien. [link]

Südwestfalen IT. (2024d, October 30). Ein Jahr nach dem Hackerangriff: Südwestfalen-IT zieht Bilanz. [link]

Trautman, L. J., Shackelford, S., Elzweig, B., & Ormerod, P. (2024). Understanding Cyber Risk: Unpacking and Responding to Cyber Threats Facing the Public and Private Sectors. University of Miami Law Review, 78(3), 840.

Wirtz, B. W., & Weyerer, J. C. (2017). Cyberterrorism and Cyber Attacks in the Public Sector: How Public Administration Copes with Digital Threats. International Journal of Public Administration, 40(13), 1085–1100. https://doi.org/10.1080/01900692.2016.1242614

Lessons Learned for Local Cybersecurity

Practical Implications of a Public Sector Cyberattack for Small and Medium-Sized Municipalities

Authors

DOI:

Keywords:

Abstract

Downloads

References

Downloads

Published

How to Cite

Conference Proceedings Volume

Section

License

Programme dg.o

Browse per article type:

Search:

Questions?