The threat of cyberattacks remains acute. Attacks on the IT of companies and institutions have become noticeably more professional in recent years. This makes it all the more important to protect and secure yourself. Among other things, new EU security regulations make this mandatory.

According to Statista, a survey conducted in 2023 revealed that around 58 per cent of the companies surveyed in Germany had been the victim of a cyberattack at least once. According to the Federal Statistical Office, digital crime in Germany increased by over 30 per cent in 2023. In addition to the misuse of online payment systems, this also includes undelivered goods from classified ad platforms, fraudulent technical support and CEO fraud - i.e. criminals pretending to be the CEO via email. The proportion of phishing mails has increased particularly sharply.

This is also confirmed by our Head of Information Security, Franjo Pelstring: "The number of cyberattacks and the number of companies severely affected by them continues to rise. This is not just an impression created by reports, but is exactly what our security systems reflect. Fortunately, these systems have always been able to protect us well so far."

One reason for the increased cyber threat is that the perpetrators have become more and more professional. Phishing emails in particular can now only be reliably identified with the appropriate background knowledge. This is why our IT security department also offers regular training courses.
„As a heterogeneous company that operates across borders, we not only have very specific challenges, but as a food retailer we are also obliged to adhere to strict regulations when it comes to our IT security.“Franjo Pelstring
The most important prerequisite here is a group-wide, common working basis. Franjo Pelstring: "It's basically like in road traffic. There we have a common road traffic code that says we have to stop at red lights or stop at pedestrian crossings. We need a similar system for dealing with IT and information security risks."

With the information security management system, his division has now laid this foundation so that the IT risk situation is measured using the same methods and standards throughout the REWE Group. For IT security, this means that a standardised basis for risk assessment has been created. Using key figures, a common picture of the entire Group can be drawn and the right conclusions can be drawn.

As a result - and this is also a reason for the recent update of the guidelines - we are also prepared for the upcoming new EU laws, including the NIS2 Regulation. It must be transposed into national law throughout the EU and extends our obligations in terms of technical, operational and organisational security measures. This means that parts of REWE Group that have not yet been affected by the strict rules for critical infrastructures (KRITIS) are also subject to the law. "Common standards are a prerequisite for implementing the measures resulting from the law at a reasonable cost," says Franjo Pelstring. „Common standards are a prerequisite for implementing the measures resulting from the law at a reasonable cost.“Franjo Pelstring Identity and access management (IAM) in turn defines uniform standards for authorisations: What authorisations do I need and for what? The basic principle here is that everyone from the manager to the cleaning staff gets what they need, but no more. And that authorisations are also withdrawn when there is a change of personnel.

Ultimately, all employees are affected by the regulations - each within their own area of responsibility. This is different for the Top Ex than for employees in administration or in the market.

The Group Policy on the secure handling of IT systems and information is relevant for everyone. It has been tightened up in a few places. The most important change is the password policy: in future, users will have to create longer passwords - passphrases, to be precise. Other Group Policies, on the other hand, are primarily aimed at IT staff and senior managers who deal with authorisation concepts or the timely replacement of IT devices, for example.