The report concerns four essential, government institutions' protection against ransomware attacks. The study includes the Danish Health Data Authority, the Ministry of Foreign Affairs, Banedanmark and the Danish Emergency Management Agency. These four institutions were selected, because they are responsible for delivering essential services within health, foreign affairs, transport and emergency preparedness, where the access to data can be of critical importance.
The purpose of the study is to assess whether the four institutions have satisfactory protection against email-based ransomware attacks.
The study shows that several common security controls to mitigate attacks have not been implemented by the four institutions. This means that all four institutions are exposed to an increased risk of email-based ransomware attacks that would leave them unable to deliver their services for a shorter or longer period.
The study was initiated by Rigsrevisionen, and it is based on the findings of four IT audits carried out in the months April to September 2017. The study provides a snapshot of how well protected the institutions are against ransomware.
Read the 1st chapter of the report (PDF)