Introduction

Denmark is one of the most digital countries in the world. This means that there are many opportunities for IT criminals to try to access or block the data of both citizens and companies. Indeed, there has been a significant increase in the number of targeted ransomware attacks.

Although ransomware and hacking receive the greatest public attention, the statistics from the Danish Data Protection Agency (the Danish DPA) show that the most important security issue in the area of personal data remains human error – typically, in the form of mismanaging emails.

Therefore, Danish authorities and organisations pay great attention to cybersecurity, and several information initiatives have been launched; tools have been developed for private individuals, in particular, to use to improve security. Especially among medium-sized companies, which have so far lagged somewhat behind the big companies, there has now been an increased focus on cybersecurity.

The following are some of the different authorities and organisations, together with the actions they are taking to improve IT and cybersecurity,

National Cyber and Information Security Strategy 2022–2024

Digitalisation is a crucial driver for the development of Danish society, and with technological development comes new opportunities for economic growth and improved welfare. However, with the high degree of digitisation comes an increased risk of criminals trying to exploit any digital vulnerabilities.

Therefore, the Danish government has set four strategic objectives that establish the framework for development towards a stronger and safer digital Denmark:

• robust protection of vital functions;
• increased level of competence and management support;
• strengthening public-private co-operation;
• active participation in the international fight against the cyber threat.

In addition to the strategic objectives mentioned above, more concrete requirements for cyber and information security are also to be complied with by government authorities, including:

• ministerial areas responsible for socially important functions must comply with several new requirements for the organisation of security work around the important functioning of society, including demands for the establishment of a decentralised cyber and information security unit for the financial sector and the development of its own specific strategy;
• government authorities responsible for socially vital IT systems must comply with several new regulatory requirements related to the systems, including new requirements for contract and supplier management, as well as stricter requirements for drawing up contingency plans;
• all government authorities must continue to comply with minimum requirements for, among other things, the organisation of security work, compliance with ISO 27001 and minimum technical requirements.

Centre for Cyber Security

The Danish Centre for Cyber Security, which is part of the Danish Defence Intelligence Service, publishes an annual threat assessment to inform Danish decision-makers, authorities and companies about the cyber threat to Denmark. Such knowledge of the threat must be able to be used to prioritise actions by the individual authority and company.

The main assessment for 2021 is as follows:

• the threat from cybercrime is VERY HIGH;
• the threat from cyber-espionage is VERY HIGH;
• the threat from destructive cyber-attacks is LOW;
• the threat from cyber-activism is LOW; and
• the threat from cyberterrorism is NONE.

Threat levels have not changed compared to 2020.

However, the Centre for Cybersecurity also points out in its assessment for 2021 that the COVID-19 pandemic has led to a sudden increase in the digitisation of many companies' workplaces. This has also created several challenges, as the companies’ employees often do not consider the home workplace as equally exposed. However, in fact, it may prove even more vulnerable; it is, therefore, important to secure remote access.

The Centre for Cyber Security predicts that 5G's arrival in Denmark will result in more and new attack surfaces for the hackers. Although 5G promises better security in mobile services, its complexity will lead to new interfaces in the telecommunications infrastructure. A decentralised network structure, edge and cloud computing, and software that replaces physical hardware are prerequisites for 5G's high performance – but, at the same time, it increases the attack surface.

The many sensors, products and appliances likely to be connected to the internet (ie, the internet of things, IoT) will also open up more and newer surfaces, which increases the demands on security.

Sikkerdigital.dk

On the website sikkerdigital.dk, the Danish Agency for Digitisation and the Danish Business Authority have gathered important knowledge about information security. Here you can find useful advice and guidance, whether you are a citizen, a company or a public authority.

It is also noteworthy that one in four Danish small and medium-sized enterprises have not implemented essential IT security measures, according to Sikkerdigital.dk. To address this problem, it has highlighted seven tips on IT security. These tips provide knowledge and tools for small companies, which can thereby strengthen their basic IT security.

The seven tips, which are further elaborated on Sikkerdigital.dk, are as follows:

• get an overview of important systems and data;
• update applications continuously;
• purchase an antivirus and a firewall system;
• back-up data;
• learn how to spot suspicious emails;
• use strong passwords;
• establish security requirements for your IT vendor.

Hackerstop

Hackerstop is a free awareness programme within information security, developed by Dansk IT, the Danish Industry Foundation and NBI. Based on several questions, knowledge gaps among employees are uncovered. The programme also provides recommendations on how to develop the security skills of employees.

The primary purpose of hackerstop.dk is to create a continuously updated competence boost around IT and information security for small and medium-sized enterprises, an agenda that is a central part of SMEs' overall digital transformation in Denmark.

Improved IT security is essential if companies are to maintain competitiveness, take advantage of digital opportunities, ensure robust production, and reduce the risk of cyber-attacks.

The Hackerstop project is designed to provide companies with clarification and overview and accelerate the efforts already initiated in the companies concerned.

Cybersecurity Council

As part of a political agreement on bills for the Centre for Cybersecurity, the parties behind the agreement decided in 2019 to establish a public-private Cybersecurity Council. With a political agreement on a strengthened Danish cyberdefence from June 2021, the government and the parties behind the agreement have decided to continue the Cybersecurity Council.

The public-private Cybersecurity Council aims to qualify the work of public authorities and businesses and strengthen digital democracy, including the dissemination of knowledge about, and understanding of the threats and opportunities posed by, digitalisation and new technologies. The Cybersecurity Council will focus on the strategic level and, specifically, have the following areas of work:

• contributing strategically to the work on the national cyber and information security strategy;
• contributing to knowledge-sharing, advice and guidance in relation to threats, vulnerabilities, incidents and cyber exercises to relevant parties – for example, through relevant networks and conferences;
• contributing strategically to the development of relevant cybersecurity competencies among citizens and employees – for example, in education and research;
• contributing to the Danish efforts in connection with ENISA's annual "cybersecurity month" every October.

The Cybersecurity Council consists of 21 members from industry, government, consumers and research area. The members' professionalism spans a wide range, and the council thus has strategic, legal and technological competencies. The members have been appointed for a two-year term from 2022–23.

The D-seal

Launched on 22 September 2021, the D-seal (Digital Security) is Denmark's new labelling scheme for IT security and responsible data use, and is the first of its kind in the world. The D-seal clarifies which companies show digital responsibility and thus generates business value to the companies, security to consumers, and creates a stronger digital Denmark.

To be awarded the D-seal, the company must meet several criteria. These include requirements within both IT security and responsible data use. The criteria cover the areas of IT security, data protection and data ethics.

Several important organisations are behind the D-seal, including the Danish Industry Foundation in collaboration with the Confederation of Danish Industry, Danish Chamber of Commerce, SMVdanmark and Forugerrådet Tænk (a consumer organisation).

NemID and MitID

Since 2010, all Danish citizens have used NemID to electronically identify themselves to banks and public authorities, but also to many private online platforms. From October 2021 and over the course of 2022, NemID will be replaced with the more modern – and now purely electronic identification solution – MitID. One element of the self-service issuance of MitID is NFC reading of citizens' passports, which assumes that the citizen has a newer smartphone. Citizens who continue to have an old passport without a chip or do not have a newer smartphone must identify themselves by physical attendance before the issuance.

Danish Convictions of Cybercriminals in 2020–21

In December 2020, the Danish Eastern High Court sentenced a 38-year-old man to three years in prison and confiscated DKK22.4 million for hacking and fraud in connection with online poker games. The man was convicted of installing malware on the victims' computers that allowed him to view their computer screens.

In February 2022, nine men were sentenced to between three and eight years in prison in a case of gross data fraud by misuse of NemID, the Danish security key used for secure communication with, among others, public authorities. Those in question were convicted of installing keyloggers on public library computers, after which they were able to block the security keys and order new ones. The criminals then kept an eye on the victims' mailboxes and stole the new NemID key cards when they were sent by regular post. With such new keys, the criminals could gain access to the users' bank accounts and try to take out loans, etc. The fraud involved DKK47 million for 174 Danish citizens. NemID is currently being replaced by a purely digital solution, MitID; see above, 'NemID and MitID'.

Also, in the past year, the Centre for Cyber Security has identified approximately 500 websites that have tried to steal personal data from Danish citizens, using different methods. Most of the sites have subsequently been blocked by the police or taken down by hosting providers, typically located abroad.

Cyber-attacks against Danish Companies in 2021–22

The following list illustrates that all different types of companies may be at risk of being attacked, and the scope also confirms the Centre for Cyber Security's threat assessment, according to which the threat level for cybercrime is VERY HIGH; see above, 'Centre for Cyber Security'. The list is by no means exhaustive, and there have been many other attacks on SMBs.

Therefore, it is important to ensure that you are secured against cyber-attacks and that you also make precise demands on your suppliers. It is not sufficient that you have secured yourself, if this is not the case for the subcontractors you use.

Danmarks Nationalbank (Denmark’s Central Bank), SAS, Dansk Energi

At the end of June 2021, the story broke that Denmark’s Central Bank had been hit by the so-called "SolarWinds" attack.

In February 2021, Dansk Energi announced that two major energy companies had also been affected by the SolarWinds attack. In the same month, the Scandinavian airline SAS reported that they too were victims of the attack. It is not yet known if any damage has been done, but the attack has allowed for the compromise of Danish infrastructure in the areas of economy, energy and transport, which in itself is alarming.

Bauhaus

In June 2021, Bauhaus – a German construction market chain that also has outlets in Scandinavia – reported that the company had been hit by a ransomware attack. The hacker group "REvil" is believed to have been behind the attack.

Bauhaus in Scandinavia was unable to use its IT systems optimally, and thus the chain lost revenue every day. Systems such as "click and collect" were down, and operations were made so difficult that the company considered paying the ransom.

Bauhaus, however, set about fighting the attack with the assistance of 30 private consultants. Despite this outside workforce, Bauhaus reported continued problems for several weeks after the attack.

Kompan A/S

Kompan A/S, a major Danish company that sells playgrounds for children, was hit by a ransomware attack in the summer of 2021. The company chose not to meet the demand for payment of the purchase price, resulting in the hackers' publication of 500 GB of data, which included images of children on playgrounds, credit card details and strategies, as well as a number of employee information, some of which related to employees who had resigned several years previously.

Illum

On 6 October 2021, Illum, is a Copenhagen department store, was hit by a ransomware attack. A month later, the hackers demanded payment of a ransom for not publishing data about customers, employees and credit cards. The data in question is a list of 36,000 files.

The hacker group behind the attack has consistently threatened to publish the data, but has so far published only a list of the files that they claim to have access to.

Jobnet.dk

In early November 2021, Jobnet.dk, which is the Danish jobcentre's online system connecting jobseekers and employers across the country, became aware of a phishing attack. An attempt was made to get jobseekers to visit a fake job network website, where they were then asked to share a range of information.

Jobnet.dk have contacted all relevant citizens and reported the attack to the Centre for Cybersecurity.

Vestas

Vestas, the Danish wind turbine manufacturer (with 80,000 wind turbines worldwide) was hit by a ransomware attack on 19 November 2021. Cybercriminals had penetrated Vestas' network and had disabled a significant part of the systems. To reopen them, they demanded a ransom.

At first, it was unclear whether the hackers also gained access to the systems that controlled the wind turbines. If Vestas, out of caution, pressed the big button and turned off the 50,000 wind turbines they have direct access to themselves, millions of citizens could be left without power.

The ransomware attack against Vestas was carried out with the type of ransomware called Lockbit 2.0, and probably carried out by Russian hackers. Immediately, there was one compromised C-drive that contained a large number of invoices and other financial documentation on thousands of Vestas trades and customers worldwide from 2018 to 2021. There was also personal information about employees at Vestas.

However, it was feared that hackers had also gained access to the many thousands of wind turbines that Vestas operates and, in this way, could stop the turbines. Fortunately, that was not the case. The stolen data was published by the hackers, but Vestas did not pay the ransom.

Nybolig, Estate and Real Mæglerne

In February 2022, the IT supplier for Nybolig, Estate and Real Mæglerne – three large real estate agents in Denmark – was the victim of a hacker attack. All the websites were shut down, but it appears that no personal data has been compromised.

Conclusion

There is, without any doubt, an increasing focus and awareness on cybersecurity in Denmark, which the many initiatives from governmental institutions such as the Danish Defence, as well as private organisations and businesses, demonstrate.   

Athough most of the recent, publicised cyber-attacks have been ransomware-based – often cyber-attacks are referred to in the media as “hacker-attacks”, and ransomware protection should certainly be a priority for all businesses and institutions – this should not lead to a lowering of the guard when it comes to more professional hacker-attacks, as such one-sided focus on ransomware attacks could lead to vulnerabilities on other areas.

Accordingly, IT security must be more holistic and cover all angles, which will likely lead to a rise in costs of obtaining the necessary level of security.