EOS sets up Group-wide protective shield for data

• Cybersecurity is becoming increasingly important for companies.
• EOS uses cutting-edge technology to defend its IT network from attacks.
• The new protection shield “Iron EOS” consolidates all security measures across the entire Group.

Sometimes, all it takes is just one click. Via a carelessly opened attachment, a malware program can gain access to a company computer – and shortly afterwards encrypt all the company’s data. More and more, hackers are using these or similar methods to penetrate companies’ IT networks with a view to selling data or demanding ransoms for its decryption.

It is extremely important for the EOS Group as well to repel such attacks. With subsidiaries in 24 countries and thousands of customers, the company has an inventory of sensitive data. “Our greatest asset is data associated with receivables portfolios that we acquire from customers,” says Gunnar Woitack, who is responsible for cybersecurity in the Group in his capacity as Chief Information Security Officer: “These kinds of portfolios not only contain the data of our customers but also of their customers – i.e., defaulting consumers. They all have to be able to trust us to handle these data extremely carefully and do everything to protect them.

This is why in the areas of data protection and information security, EOS employs about 90 people across Europe who use leading-edge technology to protect its IT systems from attackers.

In respect of data protection, they are implementing increasingly more stringent statutory provisions like the EU General Data Protection Regulation. The results speak for themselves: EOS companies in several countries have already easily passed official audits. There are already eight companies certified to ISO 27001 in the area of information security that is not regulated by applicable international laws. Implementation projects have been started at several other companies. ISO 27001 is the internationally recognized standard for information security. Moreover, all EOS companies also adhere to the guidelines of the parent company, the Otto Group. They are broadly in line with ISO 27001.

To meet the growing challenges, Gunnar’s team constantly reviews technologies and processes and adapts them to current circumstances. “We are in an ongoing race with the attackers,” he says: “Although we have worked our way into a good position.” In fiscal 2022/23 alone, Gunnar and his team were able to identify around 600 possible vulnerabilities in the IT systems of EOS rated ‘critical’ or ‘high risk’ and close the respective loopholes before an attacker could exploit them.

To make these defenses even faster and more efficient, EOS is currently setting up an international protective shield: “Iron EOS”, short for “Improving Incident Response@EOS”. Iron EOS is based on a “security information and event management system” (SIEM). What is special about this is that whereas the various EOS companies currently handle the security of their IT infrastructure locally, the SIEM can detect security incidents in the entire international network of EOS using artificial intelligence. This makes it possible to act much quicker.

“In an emergency, however, it’s not just about reacting to an attack as quickly as possible, you also have to respond to it with the right expertise,” Gunnar adds. The SIEM therefore reports anomalies to a central Security Operations Center (SOC), where IT experts carry out a “triage”: Which alerts are benign? Which do we have to follow up?

As well as defending against attacks, SOC staff use a “vulnerability scanner” to constantly scan the IT infrastructure for potential vulnerabilities. They are also supported in their work by an international compliance team. “Thanks to Iron EOS we will be in a position in the future not only to respond quickly but for the first time, to react across the entire Group,” says Gunnar. “In doing so we are taking our cyber-resiliency to the next level.” All EOS companies are set to be protected by Iron EOS as early as the third quarter of 2024.