Information security at Herth+Buss

30. Jun 2019 | Education + Careers

Mobile banking, smartphones, Cloud – digitalisation and the technological transformation have introduced a number of new, exciting developments into our everyday life that influence our life in many different ways. Information and data are important assets that have become a preferred target among criminals. The topic of information security and the associated topic of Business Continuity Management are therefore becoming an ever greater focus and presence in everyday operations at companies.

You are probably asking yourself how Herth+Buss is connected with information security as a supplier of car parts for the wholesale industry? The best way to answer this question is to take a brief look at my work and to go behind the scenes.

The paper-free office

At Herth+Buss, we adopt a largely digital approach! Our work processes are depicted in digital workflows and we also work practically paper-free by archiving all paper documents digitally in our document management system, for example. It's practically impossible to work in our company without a functioning IT system, as all processes and data flows run through our IT infrastructure. Therefore it’s either IT-controlled or IT-supported.

This does mean, however, that we are also susceptible to technology failures in our everyday work with IT. If our most important systems were to fail, practically all processes in the company would come to a standstill. The consequences? We wouldn’t be able to supply customers with their desired goods. We would also be unable to follow our goods dispatch system and losses in both turnover and customer business would be the result.

Where are the risks?

To prevent scenarios like these, it is my job as information security officer to carry out risk analyses for our key systems and applications (where we process information). This takes place together with the relevant persons responsible for the systems/applications.

In these risk analyses, all risks are looked at and assessed with regard to their likelihood of occurrence. The estimated extent of damage and the consequences for the business should the risk occur, are also looked at. The possible causes for the occurrence are also discussed. All analyses always focus on the three pillars of information security: Confidentiality, availability and integrity.

Once the risk analyses are complete, a decision is made on how to deal with the risks. There are various alternatives here. We can accept the risk and the possible consequences, e.g. because we have assessed that the likelihood of occurrence and extent of damage as low. But risks can also have a very high likelihood of occurrence, combined with significant damage potential. In this case, measures should be taken to address the risks and to prevent the risk of a failure.

Business continuity management

Despite detailed risk analyses and planned measures, failures can still occur, as we only have limited influence over external factors such as the environment. We must also be prepared for situations like these.

It is therefore my task as Business Continuity Manager to keep business up and running as far as possible, even in the event of an emergency. To this end, we have created so-called Business Continuity Plans as part of Business Continuity Management with all areas involved in the delivery process. These plans outline in detail which measures the relevant area can implement in the event of an emergency to enable work to continue. Our key focus here is: We must be able to deliver to our customers! And because our IT system is so important for this, it goes without saying that emergency plans are also in place here to ensure that we are prepared for all eventualities.

This is only part of my work; information security includes many more aspects, such as data backup, physical security etc., which I will cover in future articles!