Information Security

The main objective of information security is to protect the data being processed and hence to reduce negative impacts on the Company, its employees, and its customers. Customer trust in the information security measures taken is the bedrock for them entrusting United   Internet with their business data and personal information (digital data such as photos, documents, and e-mails).

Expanding Internet Security

The personal and non-personal information requiring protection comprises not only customer data but also the United   Internet Group’s employee and business data. This is partially processed within internal business processes or used to create products and services. United Internet’s goal is to protect this information against unauthorized access and misuse throughout the entire, complex product environment.

The individual segments’ security strategies aim to achieve the security goals of confidentiality, availability, and integrity throughout the Group. Security management in the segments is based on highly targeted technical and organizational measures. These are derived from the security guideline requirements, which in turn are based on the following criteria:

• Business customer requirements


• Statutory requirements such as those contained in the German Telecommunications Act (Telekommunikationsgesetz – TKG) or the German Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – BSIG)


• International standards such as ISO 27001

The measures taken to protect the product landscape against unauthorized access and misuse are constantly upgraded. United   Internet’s information security management system (ISMS) is based on international standards such as ISO 27001, BSI IT-Grundschutz, and BSI C5. Building on this, as an assessment is made as to whether an appropriate, risk-based, effective approach to information security challenges exists – from security management down to implementation of the security requirements in the operating security units. In addition, planning and achieving information security objectives is a key part of implementing and maintaining the ISMS.

Management Using the Information Security Management System (ISMS)

The ISMS for the Consumer Access, Consumer Applications , and Business Applications segments is managed by the TechOps Information Security unit in line with the individual business strategies. Among other things, the department is responsible for policy management and performs information security risk management. In addition, it develops security instructions and employee training courses, and is responsible for communication with public authorities, e.g., in the case of reportable security incidents. The Technical Security & Abuse Management department provides advice on security architectures and applications, systems, and network security. It trains employees how to ensure secure development and operations, performs security tests, and handles any security incidents together with other departments. The department also develops and operates systems that are used in abuse management processes. These processes ensure that support is provided to customers in security incidents for which they themselves are responsible, helping them to use United   Internet’s products securely again.

The Head of Information Security is also one of the telecommunications security officers under the TKG for the Consumer Access, Consumer Applications, and Business Applications segments. He reports regularly to the segments’ chief technology officers. Reporting covers the information security risk portfolio, any relevant security incidents that have occurred, the specific measures taken, the results of security audits, and key security trends. Security architecture experts, among others, support the Head of Information Security in designing and implementing wide-ranging security enhancements across individual segments.

Senior management at the Business Access Segment is ultimately responsible for information security there. It commissions the Head of Information Security and his department to operate and continuously improve the ISMS. This establishes structured and focused security management. Information security in the Business Access Segment is organized using the “three lines of defense” (TLoD) model. Information Security Management represents the second line of defense under this model.

Among other things, the department develops and resolves policies and work instructions that serve as the basis for operational security measures, requirements, and activities. These are then implemented by the staff responsible in the various departments, the first line of defense. A Security Operations Center works 24 x 7 to identify, target, and remedy security attacks. The Head of Information Security is also the Business Access Segment’s Telecommunications Security Officer under the TKG and reports regularly to the Management Board.

Information Protection Measures

Germany’s Federal Office for Information Security (BSI) describes the threat from cyberspace as “higher than ever” ⁽¹⁾ . United Internet uses telecommunications technology and information technology to provide services in the context of business processes whose availability and proper functioning could be endangered by threats from the internet or from internal sources. In addition to availability risk, there is a risk that hack attacks could, for example, result in customer data being read, deleted, or misused. Potential threats from the internet represent one of the largest risk groups facing United Internet, measured in terms of their impact. Vulnerabilities could have far-reaching consequences, both for United Internet’s reputation and for employees and customers.

United Internet has taken the technical and organizational security measures described below, among others, to contain such risks. No sanctions in the form of fines were imposed on the United Internet Group in the 2023 reporting period for security violations or other security-related incidents.

See United Internet AG’s “Risk, Opportunity and Forecast Report“

Source: BSI report, The State of IT Security in Germany 2023, November 2, 2023

Technical Measures

• Secure software development
  The best approach is to prevent security vulnerabilities from arising in the first place. All segments use various maturity levels of the Secure Software Development Life Cycle (SSDLC), the methodology for which includes security in the software development process right from the start. Generally speaking, a number of different measures are an integral part of product development, from threat analyses and dual-control source code reviews through automated checks and developer documentation down to application penetration tests. As the use of agile development methods and new technical platforms spreads, the SSDLC is being continuously expanded to include software depen-dency analyses up to and including secure (software) containerization. The SSDLC has also been expanded to include privacy by design requirements in a similar manner to the security by design requirements.


• Global distributed DDoS shield
  Distributed denial of service attacks (DDoSs) are concerted internet attacks originating from multiple sources that are designed to reduce the availability of services. The Group works together with partners to protect United Internet against these attacks using an internally developed global DDoS shield, which is optimized continually.
  
  A dedicated team of experts is entrusted with continuous improvement of the DDoS mitigation platforms and with maintaining a constant high level of security. The Business Access Segment uses a DDoS product from a third-party provider.


• Systematic use of encryption – Transport Layer Security (TLS)
  TLS, which is also known under its former name of SSL (“Secure Socket Layer”), is used for encrypted transmission of customer data. In addition, the Group makes TLS functionality available to its customers to protect their data traffic, e.g., when entering passwords or payment information. United   Internet bases the strength of its encryption on recognized international authorities such as the U.S. National Institute of Standards and Technology (NIST) or Germany’s BSI.


• Georedundancy
  United   Internet operates data centers in multiple, geographically discrete locations in Europe and the U.S.A. This allows it to store and back up information at a variety of different locations, minimizing the risk of business interruptions and data losses caused by external factors.


• Certification of Group data centers
  The companies in the Group ensure that United   Internet is able to offer its customers the highest possible security standards by having the secure operation of the IONOS data centers, the 1&1   Versatel data centers and technical areas falling within the scope of certification, certain systems operations at Customer Support, and software development activities certified in accordance with ISO 27001 and BSI-IT-Grundschutz. Other security certifications are obtained for areas above and beyond the data centers; these include the IT-Grundschutz or BSI C5 (cloud security) certifications recognized in Germany, plus international standards such as PCI DSS (for electronic payments systems). In addition, business continuity management (BCM) in the business customers area is constantly enhanced.

Organizational Measures

• Staff training
  Going beyond the technology, humans are an important and ever-present aspect of United Internet’s security chain. Basic training and refresher courses (both classroom and e-learning offerings) are used to provide employees with information on security issues. The mandatory e-learning course must be repeated every two years. In addition, managers are given specific training on data privacy and compliance issues.


• Information security rules
  A comprehensive rulebook aims to provide employees in all departments with guidance. The mandatory Information Security Policy serves as the formal basis for this within the Group. This rulebook is continually enhanced and updated at segment level so as to reflect up-to-the-minute technological challenges. It is disseminated using a variety of different communications channels, depending on the target groups concerned. In addition to the training courses that have already been mentioned, tips and tricks and explanations of the rules for key employee roles are available on the intranet. The regular introductory event, security training courses, and the intranet all give the contact points to which employees must report potential or suspected security incidents – defined as violations of the rules or other threats to the Group – without undue delay.


• Security audits
  Product, process, and system audits are performed in order to ensure the effectiveness of the ISMS. They are supplemented by checks performed by the departments themselves and by external checks. The audits, which are often commissioned externally, are supported by the distributed security organization. One increasingly common tool here are maturity models. In particular, the technical departments that are responsible for customer data use a security maturity model developed by Information Security. The departments’ development activities benefit from clear positioning, while the model also provides a tool for implementing independent, focused, and comparable enhancements. Maturity models offer an efficient way of planning effort-intensive, in-depth audits more effectively. They allow audits to be planned for those places where they support maturation most effectively.


• Continuous monitoring
  The various IT systems are monitored continuously in order to discover any data vulnerabilities as quickly as possible. In addition to local monitoring, the Security Incident and Event Management System (SIEM), which has been customized and enhanced internally, permits any incidents to be captured and can trigger appropriate responses. The time taken to distinguish between security incidents (e.g., attacks) and non-security incidents (e.g., interrupted power circuits) is measured to facilitate continuous improvement. The response times from the point at which notification of a problem is received to its resolution are also logged. In addition, internal targets have been defined for certain security-related goals, such as availability.


• Security incident handling
  All business segments have defined standardized processes for handling security incidents in compliance with standards such as ISO 27001. Once a significant incident is detected, a trained incident manager takes responsibility for its resolution. Where necessary, he or she also consults the Security Team or external consultants.

Integrating Business Acquisitions

United Internet performs a thorough review of existing technical and organizational information security measures before entering into business combinations with other companies, and at key points in the integration process that follows. A maturity analysis based on international standards is used for this. The level of maturity established in this way is supplemented by a risk assessment complete with recommended actions. A range of integration measures are then resolved and implemented, depending on the results and the business strategy. Acquired companies are integrated with United Internet’s Information Security Management System (ISMS) where this is considered sensible. The goal is to establish an appropriate, Group-wide security standard. In 2023, home.pl and United Domains were integrated with the Group ISMS. Additional companies are already at an advanced stage of the merger process.