The month of May has just begun, and it brings us to a rather bitter reflection, to tell the truth, about the attacks that took place in the first quarter of 2026.
The situation in general
From January to April, according to the RansomNews staff in Italy, about 99 attacks were claimed, i.e. about 24 attacks per month, which corresponds to almost one attack every 29 hours.
| Month | Attacks |
|---|---|
| January | 20 |
| February | 26 |
| March | 25 |
| April | 28 |
From the point of view of their regional distribution, the situation does not change with respect to the trend shown in recent years: there is a clear concentration in the north of the country with the best-known regions leading the ranking.
| Region | Number of connections |
|---|---|
| Lombardy | 32 |
| Lazio | 10 |
| Emilia-Romagna | 9 |
| Piedmont | 9 |
These data confirm the tendency to hit the richest regions (Lombardy) or where institutions are most concentrated (Lazio). Clearly, those affected also include companies that, due to their size and operating sector, are affected by NIS2. For example, at the beginning of the year, a company operating in the manufacture, production and distribution of chemicals was affected (Annex II – Other critical sectors). Among other things, this entity (whose name is not relevant here), was at the centre of a series of judicial investigations for pollution and environmental disaster. This information is relevant to the extent that cybersecurity, in order to be set up and maintained, requires discipline and cooperation from the entire organisation, starting from its top management.
The situation in relation to NIS2
Although NIS2 implementation activities are involving many organisations, it would be good to stop and think about‘how‘ this implementation is taking place. Many companies, in fact, experience ACN deadlines as an annoying obligation to be adhered to with as little hassle (and cost) as possible. It is good to clarify that during this period (15 April – 31 May), NIS subjects are required to make the annual update of information. As an exercise to investigate the perception of cybersecurity within NIS-affected (and NIS-impacted) companies, documents such as company financial statements and accompanying reports were consulted. It should be noted that individual items may not stand out to the reader’s eye, because they are aggregated into larger items (e.g. intangible/material assets), but in many cases the expenditure for IT does not even appear in the accompanying reports, which sometimes even contain inaccuracies or generalities that make it clear how little the danger of cyber attacks is still known, if not at a purely theoretical level.
The case of the IT company
In February 2026, an IT services company was hit; for this reason, the exfiltrated data caused some analysts great concern, considering that a critical infrastructure was affected, and the results of the attack showed (as usual) a mishandling of the most sensitive files.
The management of administrative systems was entrusted with credentials that were, to say the least, inadequate, as shown in the screenshot below, demonstrating that the problem lies not only with the top roles of organisations, but also with the technical ones, who ‘hope’ never to be the target of a hacker attack.
Needless to say, in many cases, these Excel files also include all IP addresses (public and private) that allow access to portals and systems without any form of filtering. Other examples of the ‘complexity’ of credentials can be found in the following documentation.
It is worth pointing out that these credentials were contained within Word documents without any form of protection, a problem that has been raised dozens of times on this site and qualified as totally inappropriate behaviour.
Conclusions
The problem of the perceived cultural gap related to cyber security is evident despite all the initiatives promoted by organisations and specialists. This also gives rise to a reflection on the quality of these initiatives: are they made with the sincere intention of improving the condition or to make money by selling a mediocre service? Finally, it is good to be self-critical, dear IT colleagues, many evidently conceive IT security based on hope, and so they and the companies protected by their ‘professionalism’ have no choice but to say let’s hope.
