Information Security

Expanding Internet Security

  • NfS: Customer-related Matters/Information Security

Customer trust in the measures we take to ensure information security is the basis for ensuring that they feel able to trust us both with personal digital information such as photos, documents, and e-mails, and with business data (e.g., when running applications in the cloud).

The information that we have to protect comprises both customer and employee data. It is handled in our internal systems in business processes that are in turn part of products. We aim to protect information against unauthorized access and misuse throughout the entire, complex product environment. In the process, we ensure we comply with the protective goals of preserving confidentiality, availability, and integrity. Our security strategy aims to use specific security management measures to achieve and continuously enhance our protective goals throughout the Group at an appropriate and uniform level.

We base our activities here on recognized international standards. For example, we have implemented an information security management system (ISMS) in accordance with ISO 27001. Establishing and expanding our effective, scalable security organization is particularly important here.

Management Using Our Information Security Management System (ISMS)

Apart from protecting customer data, the main objective of information security is to maintain United Internet’s ability to do business and to reduce negative impacts on its business operations.

The overarching ISMS is managed by the Information Security department, in keeping with the participating companies’ business strategies. This department comprises two teams: Service and Security Management, and Technical Security. Among other things, the Service and Security Management team is responsible for managing information security guidelines, developing security instructions, training staff, communicating with government authorities about security issues, and performing information security risk management. The Technical Security team provides advice in relation to security architectures, and applications, systems, and network security. This unit trains employees how to ensure secure development and operations, performs security tests, and handles any security incidents together with the departments concerned.

The Head of Information Security – who is also one of the Group’s telecommunications security officers under the German Telecommunications Act (Telekommunikationsgesetz – TKG) reports regularly to the Chief Technology Officers in the relevant segments. Reporting covers the information security risk portfolio, any relevant security incidents that have occurred, the specific measures taken, the results of security audits, and key security trends. Security architects and experts from the Information Security department support the Head of Information Security in designing and implementing wide-ranging and overarching security enhancements.

Information Protection Measures

  • NfS: Policies Pursued
  • GRI 417
  • GRI 417-1

Vulnerabilities can have far-reaching consequences, both for United Internet’s reputation and for customers. United Internet has taken the following technical and organizational security measures, among others, to prevent such risks.

Technical Measures
  • Secure software development
    The best approach is to prevent security vulnerabilities arising in the first place. All segments use various maturity levels of the Secure Software Development Life Cycle (SSDLC), which consistently includes security in the software development process at a methodological level right from the start. Generally speaking, a number of different measures are an integral part of product development – from threat analyses and dual-control source code reviews through automated checks and wikis of development/security best practices, down to application penetration tests. As the use of agile development methods and new technical platforms spreads, the SSDLC is being continuously expanded to include secure dependency management up to and including secure containerization.

  • Global distributed DDoS shield
    Distributed denial of service attacks (DDoSs) are concerted internet attacks originating from multiple sources that are designed to reduce the availability of our services. We use an internally developed global DDoS shield, which is optimized continually, to protect ourselves against these attacks. One component of this system cleans the incoming data stream on an event-driven basis in the event of a DDoS, only letting through legitimate customer queries. A second component acts as a web shield at application level, protecting internet services from attack. In order to do justice to the constantly increasing responsibilities in this area, the Network department established a dedicated Defense Platform Services team of security experts in 2021, with the aim of continuously improving the DDoS mitigation platforms and maintaining a constant high security level.

  • Systematic use of encryption – Transport Layer Security (TLS)
    We use TLS (“Transport Layer Security”), which is also known under its former name of SSL (“Secure Socket Layer”), for encrypted transmission of customer data. In addition, we make TLS functionality available to customers to protect their data traffic, e.g., for entering passwords or payment information such as in online shops.

  • Georedundancy
    We operate data centers in multiple, geographically discrete locations in Europe and the USA. This allows us to store information at a variety of different locations and minimize the risk of business interruptions and data losses caused by external factors. In addition, planning of the “Regions and Availability Zones” policy within the IONOS Cloud Platform progressed in the 2021 reporting period, and will successively be transferred to production starting in 2022. This is designed to enable customers to specifically influence the location and redundancy of the applications they run on our platform.

  • Data centers certified in accordance with ISO/IEC 27001
    We commission annual ISO 27001 audits of the secure operation of our data centers and certain aspects of our systems operations and software development activities so as to ensure we can offer our customers the highest possible security standards. In 2021, IONOS started working towards a supplementary IT-Grundschutz certificate for security verifications specifically for the German customer segment. The first step was the successful completion of an IT-Grundschutz test. Other complementary standards and certifications are also being planned.
Organizational Measures
  • Staff training
    In addition to the technology, humans are an important part of all aspects of the security chain. Basic training and refresher courses (both face-to-face and e-learning offerings) are used to provide employees with information. In 2019, our previously voluntary e-learning course was turned into a mandatory measure that must be repeated every two years. In the 2021 reporting period, a mandatory Company-wide refresher course was launched for the first time. A total of 68% of employees had already completed the renewed training at the end of the year. What is more, classroom training courses were used to raise awareness of information security among 328 employees. Virtual classroom courses, which have been deployed to a greater extent since the start of the COVID-19 pandemic, extend the reach of the training to more remote locations. In addition, managers are given specific training on data privacy and compliance issues.

    In October 2021, an Information Security Awareness Month was held at our location in Cebu, the Philippines in addition to the conventional e-learning courses. Brown bag lunches and “Lunch & Learn” sessions, flanked by activities and guest presentations for employees, were held in order to reinforce the importance of information security.

    In addition, 1&1 ran a campaign in the fourth quarter of 2021 to raise staff awareness of phishing via e-mails. This campaign was successfully completed, with more than 100 employees attending, and will be extended to other areas of the Company in 2022.

  • Information security rules
    Our comprehensive rulebook, which is based on ISO 27001, is designed to provide employees in all departments with guidance. Our mandatory information security guidelines serve as the formal basis for this. We use a variety of different communications channels to present these rules to different groups and make them easily accessible for employees. In addition to the abovementioned training courses, our intranet provides tips and tricks and explanations of the rules for key employee roles. These also include our internal “Information Security and Data Privacy” brochure, which gives clear explanations of the most important rules governing how to handle information and data. Bound copies of this brochure are handed out at our regular onboarding events. The brochure and our intranet also list the contact points to which employees must report potential or suspected security incidents – i.e., violations of the rules or other threats to the Company – without undue delay.

  • Security audits
    The Information Security unit conducts product, process, and system audits in order to ensure the effectiveness of the ISMS. These are supplemented by audits and checks within the departments and by external audits. End-user departments also plan audits and perform these independently. These audits, which are often commissioned externally, are supported by the distributed security organization. One increasingly common tool here are maturity models. In particular, the technical departments that are responsible for customer data use a security maturity model developed by Information Security. The departments’ development activities benefit from clear position finding, while the model also provides a tool for independent, focused, comparable improvements. Maturity models offer an efficient way of planning effort-intensive, in-depth audits more effectively. They allow audits to be planned in for those places where they support maturation most effectively.

  • Continuous monitoring
    We also continuously monitor various IT systems in order to discover any data vulnerabilities as quickly as possible. In addition to local monitoring, our Security Incident and Event Management System (SIEM), which has been customized and enhanced internally to fit our environment, allows us to capture any incidents and can trigger appropriate responses. To ensure continuous improvement, we measure the time taken to distinguish between security incidents (e.g., attacks) and non-security incidents (e.g., interrupted power circuits). We also capture our response times from the point at which we receive notification of a problem to its resolution. In addition, we have defined internal targets for certain security-related goals, such as availability.

  • Security incident handling
    All business segments have defined standardized processes for handling security incidents. Once an incident is detected, a trained incident manager is responsible for pushing forward with its resolution. Where necessary, he or she also consults the Security Team or external experts.

Integrating Business Acquisitions

We perform a thorough review of existing technical and organizational information security measures before entering into business combinations with other companies, and at key points in the integration process that follows. A maturity analysis based on international standards is used for this. Information Security then supplements the level of maturity established by conducting a risk assessment and recommending actions. A range of integration measures are then resolved and implemented, depending on the results and our business strategy. Acquired companies are included in United Internet’s Information Security Management System (ISMS) where it makes sense to do this. The goal is to establish an appropriate, Group-wide security standard. In 2021, planning started on introducing a joint target ISMS covering those IONOS subsidiaries that do not form part of the Group ISMS.