Information Security

  • Material topic: Information security

Expanding Internet Security

Apart from protecting customer data, the main objective of information security is to maintain United Internet’s ability to do business and to reduce negative impacts on its business operations.

Customer trust in the measures we take to ensure information security is the basis for them trusting us both with personal digital information such as photos, documents, and e-mails, and with business data (e.g., when running applications in the cloud).

The information that we have to protect comprises not only customer data but also employee and business data. It is processed in our internal systems using business processes that are in turn part of products. We aim to protect information against unauthorized access and misuse throughout the entire, complex product environment. We use technical and organizational measures to actively manage information security so as to meet our goals of confidentiality, availability, and integrity. The measures we take to protect our product landscape against unauthorized access and misuse are derived from the requirements of our security guidelines . Our security strategy aims to use specific security management measures to achieve and continuously enhance our protective goals throughout the Group at an appropriate and uniform level.

We base our activities here on internationally recognized standards. For example, our information security management system (ISMS) is certified as complying with ISO 27001. Establishing and expanding our effective, scalable security organization is particularly important here. In addition, planning and achieving information security objectives is a key part of implementing and maintaining our ISMS.

Management Using Our Information Security Management System (ISMS)

The ISMS for the Consumer Access, Consumer Applications, and Business Applications segments is managed by the TechOps Information Security unit in line with the business strategy for the participating companies. Among other things, the unit is responsible for managing information security guidelines, developing security instructions, training staff, communicating with government authorities about security issues, and performing information security risk management. The Technical Security & Abuse Management department provides advice in relation to security architectures and applications, systems, and network security. This unit trains employees how to ensure secure development and operations, performs security tests, and handles any security incidents together with the departments concerned.

The Head of Information Security is also one of the Group’s telecommunications security officers under the German Telecommunications Act (Telekommunikationsgesetz – TKG) and reports regularly to the Chief Technology Officers in the relevant segments. Reporting covers the information security risk portfolio, any relevant security incidents that have occurred, the specific measures taken, the results of security audits, and key security trends. Security architects and experts from the TechOps Information Security department support the Head of Information Security in designing and implementing wide-ranging security enhancements across individual segments.

Senior management at the Business Access Segment is responsible for information security there. This responsibility is delegated to the Head of Information Security and his team, who are therefore responsible for implementing the security measures and managing the segment’s ISMS. The Information Security Guidelines are the top-level policy here.

Information security there is structured using the “three lines of defense” (TLoD) model. The Information Security Management department is an important component of this model. Among other things, it develops and resolves guidelines and work instructions that serve as the basis for security measures, requirements, and activities. These are then implemented by the staff responsible in the various departments. The Head of Information Security is also the segment’s Telecommunications Security Officer under the TKG and reports regularly to the CFO.

Information Protection Measures

The Federal Office for Information Security describes the threat from cyberspace as “higher than ever” (1) . United Internet uses telecommunications technology and information technology to provide services as part of business processes whose availability could be endangered by threats from the internet or from internal sources. In addition to availability risk, there is a risk that hack attacks could, for example, result in customer data being read, deleted, or misused. Measured in terms of their potential impact, potential threats from the internet represent one of the largest risk groups facing United Internet. Vulnerabilities can have far-reaching consequences, both for United Internet’s reputation and for customers.

United Internet has taken the following technical and organizational security measures, among others, to contain such risks. No sanctions in the form of fines were imposed on the United Internet Group in the 2022 reporting period for security violations or other security-related incidents.

(1) Source: BSI report, The State of IT Security in Germany 2022, October 25, 2022 (German only)

Technical Measures
  • GRI 417-1
  • Secure software development
    The best approach to security is to prevent vulnerabilities from arising in the first place. All segments use various maturity levels of the Secure Software Development Life Cycle (SSDLC), whose methodology consistently includes security in the software development process right from the start. Generally speaking, a number of different measures are an integral part of product development – from threat analyses and dual-control source code reviews through automated checks and wikis of development/security best practices, down to application penetration tests. As the use of agile development methods and new technical platforms spreads, the SSDLC is being continuously expanded to include secure dependency management up to and including secure containerization. The SSDLC has also been expanded to include privacy by design requirements in a similar manner to the security by design requirements.

  • Global distributed DDoS shield
    Distributed denial of service (DDoS) attacks are concerted internet attacks originating from multiple sources that are designed to reduce the availability of our services. We use an internally developed global DDoS shield, which is optimized continually, to protect ourselves against these attacks. One component of this system cleans the incoming data stream on an event-driven basis in the event of a DDoS, only letting through legitimate customer queries. A second component acts as a web shield at application level, protecting internet services from attack. In order to do justice to the ever-growing responsibilities in this area, the Network department established a dedicated team of security experts – Defense Platform Services – in 2021, with the aim of continuously improving the DDoS mitigation platforms and maintaining a constant high security level.

  • Systematic use of encryption – Transport Layer Security (TLS)
    We use TLS, which is also known under its former name of SSL (“Secure Socket Layer”), for encrypted transmission of customer data. In addition, we make TLS functionality available to customers to protect their data traffic, e.g., for entering passwords or payment information such as in online shops.

  • Georedundancy
    We operate data centers in multiple, geographically discrete locations in Europe and the USA. This allows us to store information at a variety of different locations and minimize the risk of business interruptions and data losses caused by external factors.

  • Data centers certified in accordance with ISO/IEC 27001
    Annual ISO 27001 certifications document the secure operation of our IONOS data centers and certain aspects of our systems operations and software development activities, ensuring we can offer our customers the best possible security standards. An initial IT-Grundschutz certification of the IONOS cloud was successfully completed in 2022. In addition, our British data centers were certified as complying with the Payment Card Industry Data Security Standard, PCI DSS. Other complementary standards and certifications (such as certification in accordance with cloud security standards) are also being planned.
Organizational Measures
  • Staff training
    In addition to technology, humans are an important part of all aspects of the security chain. Basic training and refresher courses (both face-to-face and e-learning offerings) are used to provide employees with information. Our mandatory e-learning course must be repeated every two years. In addition, managers are given specific training on data privacy and compliance issues.

  • Information security rules
    Our comprehensive rulebook, which is based on ISO 27001, is designed to provide employees in all departments with guidance. Our mandatory Information Security Guidelines serve as the formal basis for this. We use a variety of different communications channels to present these rules to different groups and make them easily accessible for employees. In addition to the training courses that have already been mentioned, our intranet provides tips and tricks and explanations of the rules for key employee roles. Our regular onboarding events and security training courses, and our intranet also list the contact points to which employees must report potential or suspected security incidents – defined as violations of the rules or other threats to the Company – without undue delay.

  • Security audits
    Information Security conducts product, process, and system audits in order to ensure the ISMS is effective. These are supplemented by checks within individual departments and by external audits. The departments also plan audits and perform these independently. These audits, which are often commissioned externally, are supported by the distributed security organization. One increasingly common tool here are maturity models. In particular, the technical departments that are responsible for customer data use a security maturity model developed by Information Security. The departments’ development activities benefit from clear position finding, while the model also provides a tool for implementing independent, focused, and comparable enhancements. Maturity models offer an efficient way of planning effort-intensive, in-depth audits more effectively. They allow audits to be planned for those places where they support maturation most effectively.

  • Continuous monitoring
    We also continuously monitor the various IT systems in order to discover any data vulnerabilities as quickly as possible. In addition to local monitoring, our Security Incident and Event Management System (SIEM), which has been customized and enhanced internally to fit our environment, allows us to capture any incidents and can trigger appropriate responses. To ensure continuous improvement, we measure the time taken to distinguish between security incidents (e.g., attacks) and non-security incidents (e.g., interrupted power circuits). We also capture our response times from the point at which we receive notification of a problem to its resolution. In addition, we have defined internal targets for certain security-related goals, such as availability.

  • Security incident handling
    All business segments have defined, standardized processes for handling security incidents. Once an incident is detected, a trained incident manager is responsible for addressing its resolution. Where necessary, he or she also consults the Security Team or external experts.

Integrating Business Acquisitions

We perform a thorough review of existing technical and organizational information security measures before entering into business combinations with other companies, and at key points in the integration process that follows. A maturity analysis based on international standards is used for this. Information Security then supplements the level of maturity established in this way by conducting a risk assessment and recommending actions. A range of integration measures are then resolved and implemented, depending on the results and our business strategy. Acquired companies are included in United Internet’s Information Security Management System (ISMS) where this is considered sensible. The goal is to establish an appropriate, Group-wide security standard. In 2022, we22 GmbH and World4You Internet Services GmbH were integrated with TechOps Information Security’s Group ISMS. Additional companies are already at an advanced stage of the merger process.