We focus on prevention to counteract risks. The first line of defense at HOCHTIEF is security by design. This means the use of technical measures where the implementation process ensures a safe working environment on the basis of system design or configuration. Where recourse is made to organizational measures, these are subject to structured, documented procedures backed up with checks and balances. The measures are flanked by technical analysis systems.

Employee training on cybersecurity is also geared to common and current threats.

Lessons learned from emerging developments are continuously incorporated into security objectives and/or the Information Security Policy.

Initiatives implemented throughout the Group in the reporting year to protect against cybersecurity risks include the following:

• Structured requirements management processes including the management of information security risks (check list, involvement of specified departments, risk assessment, etc.)
• Internal phishing campaign to identify specific action such as a need for employee training
• Automated and manual penetration tests to detect security vulnerability in Internet-facing systems
• Mandatory training for all employees on general information security topics, plus ad-hoc information in the form of newsletters and intranet articles on current threats
• Continuous automated detection of vulnerabilities in Internet-facing systems, with reporting to support structured response processes
• Patch management on the basis of structured technical and organizational processes
• Attack detection and tracking solutions in operation
• Attack surface minimization by using technical measures for global blocking of entry points
• Use of technical means to minimize access to recognized and permitted systems or identities (for example, conditional access or MFA)
• Assessment of cybersecurity risks extended to include business-critical suppliers and business partners
• Structured reporting of business-critical security incidents