Information Security

Expanding Internet Security

For United Internet, information security is a core component of acting responsibly in the digital world. Customer trust in the measures we take to ensure information security is the basis for ensuring that they feel able to trust us both with personal digital information such as photos, documents, and e-mails, and with business data (e.g., when running applications in the cloud).

The information that we have to protect comprises both customer and employee data. It is processed in our internal systems in business processes that are in turn part of products. We aim to protect information against unauthorized access and misuse throughout the entire, complex product environment. In the process, we ensure we comply with the goals of preserving confidentiality, availability, and integrity. Our security strategy aims to achieve and continuously enhance our protection goals throughout the Group at an appropriate and uniform level.

We base our activities here on recognized international standards. For example, we have implemented an information security management system (ISMS) in accordance with ISO 27001. Establishing and expanding our effective, scalable security organization is particularly important here.

Management Using the Information Security Management System

Apart from ensuring customer data security, the main objective of information security is to maintain United Internet’s ability to do business and to reduce negative impacts on its business operations.

In keeping with the participating companies’ business strategy, the cross-segment ISMS is managed in the Information Security department. This department comprises two teams: Service and Security Management and Technical Security. Among other things, the Service and Security Management team handles the management of information security guidelines, security instructions, staff training, communication with government authorities, and security risk management. The Technical Security team covers advisory tasks relating to security architectures, and applications, systems and network security. This unit trains employees how to ensure secure development and operations, performs security tests, and handles any security incidents together with the departments concerned. The Technical Security team received an international boost in 2020 when it was joined by the security team at our Spanish subsidiary, Arsys.

The Head of Information Security – who is also one of the Group’s telecommunications security officers under the German Telecommunications Act (“Telekommunikationsgesetz” – TKG) reports regularly to the chief technology officers in the relevant segments. Reporting covers the information security risk portfolio, any relevant security incidents that have occurred, security-related measures taken, the results of security audits, and key security trends.

Information Protection Measures

  • GRI 417
  • GRI 417-1

Vulnerabilities can have far-reaching consequences, both for United Internet’s reputation and for customers. United Internet has taken the following technical and organizational security measures to prevent such risks.

Technical Measures
  • Secure software development
    The best approach is to prevent security vulnerabilities from arising in the first place. All segments use various maturity levels of the Secure Software Development Life Cycle (SSDLC), which consistently includes security in the software development process at a methodological level right from the start. Generally speaking, a number of different measures are an integral part of product development – from threat analyses and dual-control source code reviews through automated checks and wikis of development/security best practices, down to application penetration tests. As the use of agile development methods spreads, the SSDLC is being continuously expanded to include secure dependency management up to and including secure containerization.

  • Global distributed DDoS shield
    Distributed denial of service attacks (DDoSs) are concerted Internet attacks originating from multiple sources that are designed to reduce the availability of our services. We use an internally developed global DDoS shield, which is optimized continually, to protect ourselves against these attacks. This system cleans the incoming data stream on an event-driven basis in the event of a DDoS, only letting through legitimate customer queries.

  • Systematic use of encryption – Transport Layer Security (TLS)
    We use TLS, which is also known under its former name of SSL (“Secure Socket Layer”), for encrypted transmission of customer data. In addition, we make TLS functionality available to customers to protect their data traffic, e.g., for entering passwords or payment information such as in online shops.

  • Geo-redundancy
    We operate data centers in multiple, geographically discrete locations in Europe and the USA. This allows us to store information at a variety of different locations and minimize the risk of business interruptions and data losses caused by external factors.

  • Data centers certified in accordance with ISO/IEC 27001
    The ISMS used in our data centers is certified annually in accordance with ISO 27001 so as to ensure we are offering our customers the highest possible security standards. In 2020, we expanded the scope of this certification to include more parts of our IT operations and software development.
Organizational Measures
  • Staff training
    In addition to the technology, humans are an important part of all aspects of the security chain. Basic training and refresher courses (both face-to-face and e-learning offerings) are used to provide employees with information. In 2019, our previously voluntary e-learning course was turned into a mandatory measure that must be repeated every two years. We achieved our target of reaching 80% of staff with our e-learning course. In addition, virtual “classroom training courses” were used to raise awareness for information security among 294 employees in 2020. These virtual courses were stepped up due to the circumstances surrounding the COVID-19 pandemic. They will remain an important means of supplementing face-to-face classes once it is over. Only employees who have been made aware of the dangers can effectively address the risks arising from e.g., phishing or social engineering. This is why developers and administrators receive special face-to-face technical training that is tailored to their particular requirements. In addition, managers are given special training on data protection and compliance issues.

  • Information security rules
    Our comprehensive rulebook, which is based on ISO 27001, is designed to provide employees in all departments with guidance. Our mandatory information security guidelines serve as the formal basis for this. We use a variety of different communications channels to tailor these rules to different groups and make them easily accessible for employees. In addition to the abovementioned training courses, our intranet provides tips and tricks and explanations of the rules for key employee roles. These include our internal brochure on information security and data protection, which gives clear explanations of the most important rules governing how to handle information and data. Bound copies of this brochure are handed out at our regular onboarding events. The brochure and our intranet also list the contact points to which employees must report potential or suspected security incidents – i.e., violations of the rules or other threats to the Company – without undue delay.

  • Security audits
    Information Security conducts product, process, and system audits in order to ensure the effectiveness of the ISMS. These are supplemented by audits and checks within the departments and by external audits. One increasingly common tool here are maturity models. In particular, the technical departments that are responsible for customer data use a security maturity model developed by Information Security. The departments’ development activities benefit from clear position finding, while the model also provides a tool for independent, focused, comparable improvements. Maturity models offer an efficient way of planning effort-intensive, in-depth audits more effectively. They allow audits to be planned in for those places where they support maturation most effectively.

  • Continuous monitoring
    We also continuously monitor various IT systems in order to discover any data vulnerabilities as quickly as possible. In addition to local monitoring, our Security Incident and Event Management System (SIEM), which has been customized and enhanced internally to fit our environment, allows us to capture any incidents and can trigger appropriate responses. To ensure continuous improvement, we measure the time taken to distinguish between security incidents (e.g., attacks) and non-security incidents (e.g., interrupted power circuits). We also capture our response times from the point at which we receive notification of a problem to its resolution. In addition, we have defined internal targets for certain security-related goals, such as availability.

  • Security incident handling
    All business segments have defined standardized processes for handling security incidents. Once an incident is detected, a trained incident manager is responsible for pushing forward with its resolution. Where necessary, he or she also consults the Security Team or external experts.

  • Information security during the COVID-19 pandemic
    The restrictions imposed during the COVID-19 pandemic meant that we had to enable employees to work from home across the board and at short notice while upholding information security standards. The central Information Security department worked together with the security managers in the individual departments to provide support for security-related changes associated with working from home. This allowed security requirements to be taken into account appropriately as part of our established, agile change process. Many staff were already able to use the Company’s infrastructure to work securely from outside the office via a VPN (virtual private network). The security organization ensured safe network and IT component operation at all times even during the COVID-19 pandemic, based among other things on corporate identity management, which uses multi-factor authentication, and DDoS proxy protection.

Integrating Business Acquisitions

We perform a thorough review of existing technical and organizational information security measures before entering into business combinations with other companies, and at key points in the integration process that follows. A maturity analysis based on international standards is used for this. Information Security then supplements the level of maturity established by conducting a risk assessment and recommending actions. A range of integration measures are then resolved and implemented, depending on the results and our business strategy. Where it makes sense to do so, acquired companies are included in United Internet’s Information Security Management System (ISMS). The goal is to establish an appropriate, Group-wide security standard. In 2020, the companies belonging to Drillisch AG (which was acquired in 2017 and is now known as 1&1 Drillisch) were reassigned from the Consumer Access Segment to Group ISMS, and Cronon GmbH was reassigned to it from Business Applications.