2022 was one of the years in which attacks on critical infrastructure in the context of hybrid warfare, but also attacks on companies by criminal hacker groups, increasingly occurred. The damage caused by these attacks adds up to millions of euros worldwide every year. Especially the interface between man and machine via so-called phishing attacks (social engineering) poses a great danger to the data security and data protection of companies.
Since the beginning of digital data storage, Mull und Partner Ingenieurgesellschaften have continued to improve data security through technical (e.g. redundant data storage, storage of data on Raid systems, distributed backups, firewalls, VPN access) and organisational measures (e.g. access authorisations, group memberships). Even before the introduction of the EU Data Protection Regulation, personal data protection was consistently implemented, even in analogue data storage.
Due to restructuring within the MuP Group, three data protection officers have now been appointed for personal data protection. In regular online meetings, the data protection officers exchange information with each other and with the MuP Group's Executive Board about current issues and developments in data protection and data security. In addition, the data protection officers are available to employees as contacts for questions relating to data protection.
To simplify the reporting of possible data protection violations, a group-wide reporting system has been set up for employees, with the help of which the information necessary for a data protection impact assessment can be gathered. In the event of a report, not only the data protection officers but also the administrators of the group are informed about the possible incident so that protective measures (e.g. mail blocks, system blocks, preventing the execution of programmes) can be initiated immediately. The data protection impact assessment is used to determine the extent to which the data protection incident must be reported to the competent supervisory authority.
Employees are already being informed by the data protection officers about possible dangers when using mailing and the Internet. So-called penetration tests are planned, which will identify weak points and further increase the awareness of the employees. Well-informed and trained employees are of great relevance, especially for the MuP Group's "cyber resilience".