EOS Journal_02.16_Englisch

EOS
JOURNAL
THE MAGAZINE FOR CLIENTS OF THE EOS GROUP – ISSUE 02.2016
SECURITY FOR
THE CROWN JEWELS
How companies protect
important information
with a system
SECURITY COMES
FROM WITHIN
Why all staff must be
involved
Focus on information security
Sensitive data:
Advanced protection
is necessary
0
04
10
14
16
Hans-Werner Scherer
Chairman of the EOS Group’s
Board of Directors
Dear
Reader,
If we were to stack up all the tablet PCs holding the global data volume from 2013, we
would create a tablet tower reaching twothirds of the way from Earth to the moon. The
data volume in 2020 is expected to be
6.6 times the distance to the moon. Along
with the growth in data, requirements for
protection of digital information increase too.
At EOS, we have always dealt with our clients’
and their end clients’ sensitive data very carefully, and we are continuously developing and
evolving our security concept. Most recently
the Otto Group implemented data protection
guidelines for all its companies. Read more
about this on page 13. On page 10, you will
learn which requirements information security systems should meet in companies today.
Governments also increasingly regulate
the handling of data for the protection of
consumers and companies alike. With the
ratification of the General Data Protection
Regulation in the spring for instance, the EU
wants to standardise data protection laws
across the 28 member states. The new rules
also concern passing on data, such as to debt
collection specialists. Three experts from the
EOS Group explain how the new regulation
works on page 8. I hope you enjoy reading
this edition.
Yours sincerely,
Hans-Werner Scherer
2
EOS Journal
Contents
02 Editorial
02 Contents
02 Publication details
03 News
04 Italian for advanced
How the debt collection specialist Omniatel
stands alongside EOS clients in Italy
08 Debt collection remains possible
Three experts on the effects of the new
EU General Data Protection Regulation for EOS
09 Profiting from market cleansing
EOS KSI in Slovakia in position to
purchase B2C receivables packages
10 Security trumps risk
Companies should guard their crown jewels:
What the protection of sensitive data means
13
Advocates for information security
Chief Information Security Officer Gunnar Woitack
on the new data protection concept from EOS
14
Internal security
In order to effectively protect important
information, all employees must be involved
16
A must in the Mediterranean
Marseille has developed into a trendy
French metropolis. Time for a rendez-vous
Publication details
Publisher EOS Holding GmbH; V.i.pd.P.: Lara Flemming Address
Steindamm 71, 20099 Hamburg; Tel.: +49 40 2850-1222; Fax:
+49 40 2850-1551 Production JDB MEDIA GmbH; Tel.: +49
40 468832-27 Editing K. Günther (Head), U. Feldhusen,
A. Hessler, M. Hintze, U. Maris, C. Reuscher Graphics I. Sellentin
(AD), S. Georgi Image editing J. Poppe (Head), U. Dinse
Printing D+L Printpartner GmbH
Photos: Agnieszka Wozniak/Caiaimage/Getty Images (p. 12), bamlou/iStock.com (p. 2), Bertrand Gardel/hemis.fr/laif (p. 18, 19), Betsie Van Der Meer/Getty Images (p. 15), Borut Trdina/iStock.com (p. 11), Camille Moirenc/hemis/laif (p. 16), Christophe BOISVIEUX/laif (p. 18), Dmitry Serebryakov (p. 3), EOS (p. 2, 3, 8, 9), Fred MARVAUX/REA/laif (p. 19), Glow Images (p. 17), Hedda Gjerpen/iStock.com (p. 5), iStock.com (p. 16, 19), Jann Klee (p. 17), Jan-Peter Boening/Zenit/laif (p. 19), Jean-Bernard Carillet/Getty
Images (p. 18), Jean-Daniel Sudres/hemis.fr/laif (p. 19), Jesus Ines/EyeEm/Getty Images (p. 11), John Pavel/iStock.com (p. 5), Marion Beckhäuser/laif (p. 17), Masterfile/RF (Titel, p. 2, 10, 11), Mauritius Images/SFM Stock 3/Alamy (p. 6), Michael Wissing/Stock
Food (p. 17), Nico Tondini/robertharding/laif (p. 2, 16), PR (p. 12, 14), Sebastian Vollmert (p. 3, 7, 13), Thilo Weilmar (p. 2, 4, 5, 6), Wallet/Le Figaro Magazine/laif (p. 18), Wavebreak Media LTD/Wavebreak Media Ltd./Corbis (p. 2, 14)
EDITORIAL
NEWS
New commitment
Kirsten Pedd is the head of the German federal
association of debt collection companies (BDIU).
T
he BDIU’s motto is ‘debt collection means responsibility’. Kirsten Pedd also stands for this guiding
principle. As Chief General Counsel of the EOS Group,
she champions transparency and integrity and understands the significance of professional debt collection
for an intact national economy. At the annual general
meeting in April, the BDIU members elected Ms Pedd
as President with an overwhelming majority, making her
the first woman to be at the head of the association.
Ms Pedd has represented EOS in the BDIU for 15 years.
In the past eight years she has been active on the law
and compliance committee. The fully qualified lawyer
will promote and support the respectable debt collection
industry throughout Germany.
Kirsten Pedd: The EOS Chief General Counsel is the newly appointed chairwoman
Grand plans
With the new managing director and another location, EOS wants to grow more in Russia.
rom Moscow to the Volga: in December 2015, EOS in Russia established
a new branch in Volgograd. As well as a
call centre, which will soon be home to up
to 200 employees, the company is building a new legal department in Volvograd.
The primary focus of this new legal department will be to support the increasing
number of debt collection cases that go
before the court.
But why Volgograd? ‘Up until now, EOS
has only been active in a relatively small
part of Russia. We are looking for this to
change,’ explains Anton Dmitrakov, who
took over as the Managing Director of EOS
F
in Russia in August 2015.
‘The new location in Volgograd represents a position
in a region of Russia that has
hardly been developed by us
yet, and provides us with a
very good range of qualified
potential employees.’
The finance and credit
expert, who previously
worked in managerial positions at banks and other
debt collection companies
for several years, also has
grand plans that go beyond
Anton Dmitrakov: The new
managing Director strengthens
EOS in Russia
the new branch in Russia.
‘We want to build upon
our presence in this
country even further.’
Mr Dmitrakov also
plans to unlock some new
fields of business, such as
international debt collection: ‘The reorientation of
certain services helps us
to further extend our
customer base. In this
way, we will significantly
strengthen the EOS
brand in Russia.’
More weight in Europe
Nathalie Lameyre: The Managing Director of EOS
Credirec has been the head of the association FIGEC
since 2006
EOS Credirec in France is intensifying its association work. Managing director Nathalie Lameyre has been president of the French
Fédération Nationale de l’Information d’Entreprise et de la Gestion de Créances (FIGEC) since 2006. Along with the FIGEC
she has joined the European counterpart, the Federation of European National Collection Associations (FENCA). ‘Now we can
work on the European level for the debt collection industry interests in data protection, simpler exchange of data and the dismantling of bureaucratic hurdles,' explains Ms Lameyre.
EOS Journal
3
RUBRIK
Discussion: EOS
integrates Omniatel in
strategic considerations
PREFERRED PARTNER
Italian for
advanced
Omniatel is among the top ten debt collection companies in Italy.
As a member of the Preferred Partner Alliance, the specialist puts
its local competence to use for EOS clients.
he EU Commission has so far issued about 21,000 regulations and
directives. They relate to numerous
areas of daily life and business – from the
permissible height of candle flames and
the use of plastic bags to IT security. It
seems that all issues set down in black
and white in EU legislation are unambiguously regulated. However, that's not the
T
4
EOS Journal
case in all EU Member States, as seen in
EOS experiences in international debt collection. ‘The European dunning process
should simplify and accelerate international debt collection. In fact, in cross-border
cases, any creditor can apply for a European order for payment at the presiding
court in the country in which the debtor is
based,’ explains Romina Rosiello, Product
Eleonora Piccoli
Chief Executive Officer of
Omniatel
We support EOS
in dealing with
the Italian legal system.
01
02
03
and Cooperation Manager at the EOS
Cross-border Center in Hamburg (see interview page 7). If the application is justified, the court generally issues the order
for payment within 30 days. So it goes in
theory. What happens in practice? ‘About
two years ago we applied to an Italian
court for a European order for payment –
and still have received no response,’ reports Ms Rosiello.
01 Milan:
Headquarters for
the debt collection
specialists
02 Rome:
From the capital,
Omniatel oversees
the central Italian
market
03 Call centre:
Omniatel makes
40 per cent of its
turnover with debt
collections via
written correspondence and over the
phone
Cooperation instead of purchasing
For Eleonora Piccoli this comes as no surprise. As Chief Executive Officer (CEO) of
the medium-sized debt collection company
Omniatel with head offices close to Milan,
she is an expert in the receivables management business in Italy. After studying
business and finance, she founded the
company with her father in 2000. Today
about 300 employees support about 90
clients. Omniatel is among the ten largest
specialists for receivables management in
Italy. The EOS Group and its customers
also benefit from its extensive expertise.
The two companies met for the first time
in 2010. At the time EOS was searching
for a takeover candidate in order to develop the large Italian market with about 60
million inhabitants.
Omniatel was already an important player there at that time. The company grew
rapidly only four years after being founded
when it acquired a 30-strong department
in the Italian branch of the Dutch knowledge and information services provider
Wolters Kluwer. ‘We increased our turnover
significantly through the purchase,’ says
Ms Piccoli. The same year the company
opened a branch in Rome. ‘We can more
easily serve the central Italian market from
the capital,’ the CEO explains. The next big
step came in 2005 when the owners converted Omniatel into a public limited company. But nothing came of the takeover by
EOS. ‘Instead, in 2011 we entered into
cooperation with EOS in international debt
collection,’ says Ms Piccoli.
Bad debts increase
Since then EOS has used it Global Collection Platform to send Omniatel
EOS Journal
5
01
02
03
A PARTICULARLY CLOSE CONNECTION
With the alliance of EOS Preferred Partners created in 2015, the group distinguishes its selected
partner companies. Before, EOS and these companies had already worked together successfully for
many years in international debt collection. They cover the countries in which EOS is not present
itself. As regular partners, they initially only took over the debt collection processing in the background.
The Preferred Partners also function as a local contact partner for EOS clients who have a branch
in the particular country and want a trustworthy service provider locally.
01 Headquarters:
Omniatel has been
based in Milan
since its foundation
in 2000
02 Clients
from the media
industry: The
financial paper
Il sole 24 Ore relies
on Omniatel for
international debt
collection
03 Visible
alliance:
Omniatel uses the
logo Preferred
Partner of EOS
6
EOS Journal
cross-border debt collection cases for
debtors residing in Italy. Omniatel enforces these claims in Italy for EOS clients –
both in and out of court. ‘Cross-border
cases of EOS clients make up about five
per cent of our turnover’, explains the CEO.
‘Omniatel currently manages claims with
a volume of about twelve million euros for
us,’ adds Ms Rosiello. The number of cases could rise in future, ‘In Italy we are still
feeling the effects of the financial crisis,
and bad debts could increase,’ expects the
Omniatel CEO.
The Italian company's clients include
companies from the media and pharmaceutical industries and public administration.
‘Our most important clients in international
debt collection are Il sole 24 Ore, one of
Italy’s widely read financial newspapers and
the globally active chemical company
Bozzetto Group,’ reports Piccoli.
Over the years as EOS and Omniatel
have become better acquainted, they have
developed mutual respect. ‘During this
time EOS could see that we are a respectable and professional organisation,’ says
the Omniatel co-founder. The company can
prove the high standard of its work: It has
been certified for the quality management
norm UNI EN ISO9001.
Deeper personal contact
In 2015 EOS invited Omniatel to expand
the partnership by becoming the first member of the newly created alliance of EOS
Preferred Partners. ‘We have a particularly close exchange with these selected
partners. They support us with their knowledge of regional peculiarities in receivables management in their home country.
In addition, we integrate them in strategic
discussions,’ explains Ms Rosiello from the
EOS Cross-border Center.
‘Our employees have already taken part
in EOS workshops on sales and operational subjects,’ says the CEO of Omniatel. ‘Not
BEST PRACTICE
OMNIATEL
In 2000 Eleonora Piccoli founded
Omniatel close to Milan with her father. Today the medium-sized company is among the top ten Italian debt
collection companies.
In 2004 Omniatel opened a branch
in Rome.
In 2005 the owners converted Omniatel into a public limited company.
About 300 employees are now employed by the debt collection specialists.
Omniatel employees make about
190,000 telephone calls every month.
The approximately 90 Omniatel clients
are predominantly from the media industry. Pharmaceutical companies
and public administration establishments are also among the clientele.
least, we strengthened the contact with
EOS in these workshops. Now that we have
got to know each other personally, we can
clarify questions and problems more quickly and easily.’
Complicated legal issues
When problems involve resolving the application for a European order for payment
in Italy, EOS relies on Omniatel. ‘The Italians
were not surprised that we were not successful in obtaining an order for payment
from Germany. They know of course that
Italian courts are used to speaking exclusively with lawyers. We therefore rely on
our Preferred Partner locally,’ says
Ms Rosiello. Omniatel employs its own lawyer, who coordinates a network of external
advocates. Ms Piccoli confirms: ‘Legal
matters in Italy are extremely difficult to
understand. To be able to support EOS
clients here is definitely one of the most
important merits of Omniatel.’
Romina Rosiello:
Product and Cooperation
Manager at the EOS
Cross-border Center
INTERVIEW
‘Reliable for
clients on site’
Romina Rosiello from the EOS Cross-border Center explains
how the alliance of Preferred Partner companies offers even
better service in even more parts of the world.
What criteria does EOS use to select its Preferred Partners?
With the Preferred Partners, we want to cover all important regions
where EOS is not represented itself. Besides Italy, the list includes
Portugal, Finland, Turkey, India, the Baltic States and the United Arab
Emirates. In order to become a Preferred Partner, companies must
pass a very thorough audit. Furthermore, we visit them regularly and
see how the processes are going locally. We thereby ensure that the
partners satisfy our quality requirements.
How is the cooperation with the Preferred Partners different
from the work with other partners?
The Preferred Partners are integrated much more closely in our processes. They take part in workshops, for example. Besides that, we
consult on strategic issues, such as legal requirements on the Italian
market and possible instruments in skip tracing – the search for unknown debtors who have moved. We have also spoken with Omniatel
about joint debt purchasing in Italy, which could become a bilateral
project in the future.
How do EOS clients profit from the Preferred Partners?
Our clients have direct contact with the Preferred Partners locally.
This is especially interesting for companies with subsidiaries in the
countries concerned. That aspect is also important for our new solution for the Shared Service Centre. We offer global corporations
receivables management for all of their global branches from one
source. The client’s locations then conclude direct contracts with the
Preferred Partner in the relevant country. The first contract negotiations with Omniatel have begun. We see a lot of potential for this
model in the future.
EOS PREFERRED PARTNER
Info http://omniatel.it/en
More about the Omniatel company
You can learn more about international debt collection
and about the EOS Preferred Partners at
www.eos-globalcollection.com or using the QR code.
EOS Journal
7
BEST PRACTICE
THINK GLOBAL, ACT LOCAL
Debt collection remains possible
The new EU General Data Protection Regulation (GDPR) should better protect citizens’ privacy.
Three experts from EOS explain how they are preparing for the new legal ruling.
Georg Kovacs
Kristell Cargouët
Ewa Cedro
Managing Director
EOS KSI Romania
Internal Auditor
EOS Credirec
Security Administrator
EOS KSI Polska
•••
•••
•••
Romania The new EU General Data
Protection Regulation (GDPR) applies to
all large companies involved in data processing. Thus, for example, EOS KSI in
Romania needs to appoint a Data Protection Officer, as the company has more
than 250 employees and is therefore
deemed a large company by the GDPR.
Additionally we are gathering a considerable amount of information about a large number of consumers.
We shall establish new or modify existing
procedures regarding the collection and
deletion of data. For example, it is important to comply with the ‘Right to be forgotten’ and the ‘Right to data portability’,
as stipulated in the GDPR. This applies
to all areas of work, such as the Internet,
call centres and hard copy written records.
France The new EU General Data Protection Regulation does not require
EOS Credirec to make any crucial changes. This may be due to the fact that
French data protection provisions are
already very extensive. The French data
protection authority Commission Nationale de l’Informatique et des Libertés
(CNIL) requires all data processing procedures to be documented in detail.
Expert on these subjects, I especially
have missions of controlling data security and complying with individual laws and
retention periods. The most significant
reform concerns the role of the CNIL. In
future, this authority will have no more
action upstream of processing personal
data but will focus on controls. In principle, receivables management will be no
more difficult than before.
Poland The current data protection regulations that have an impact on the field
of debt collection do not differ significantly in this country from the EU General Data Protection Regulation. Therefore, it is highly unlikely that we will need
to make many important changes. We
are currently considering the details and
may have to formulate more detailed agreements in future. For example, in
purchase agreements, we are going to
specify the length of time we shall retain
the debtor’s personal data.
Some of the new provisions will simplify
the debt collection procedure. Up to now,
it has not been permissible to gather
or process health data without the
debtor’s written consent, although they
have sometimes volunteered this information to us.
The new EU General Data Protection Regulations (GDPR) go into effect in early summer 2018. Data processing is then
permitted only with the consent of those concerned. However, professional debt collection will remain possible. If it is
not otherwise possible to enforce the rights of the third party – for example, the creditor – data processing remains
legal without consent. Further information on the GDPR is available at: http://bit.ly/1IjvPgK
8
EOS Journal
BEST PRACTICE
INTERVIEW
‘Profiting from market cleansing’
Since the end of 2015, buyers of B2C receivables packages in Slovakia need a licence.
CEO Michal Šoltes explains why it still makes sense for EOS KSI to offer this service, despite,
or even because of this obstacle.
Mr Šoltes, what is new for anyone
buying B2C receivables packages in
Slovakia?
A new law to protect consumers went into
effect in Slovakia on 23 December 2015.
It stipulates that companies which are not
banks may extend credit to private individuals only if they have the relevant licence
issued by the National Bank of Slovakia
(NBS). This rule previously applied only to
banks. Now non-banks need to produce
this licence if they wish to purchase consumer credit portfolios. That also applies
to EOS KSI.
What does EOS KSI need to do to make
a successful application to the NBS for
one of these licences?
EOS KSI needs to position itself as a credit provider, even though we want to purchase credit and not provide it. This means
that we need to satisfy all the requirements
necessary for purchasing the licence from
the NBS. As a well-positioned and structured company, that is easy enough for us,
as we always work to very high quality
standards.
What are the requirements?
To give some examples, we need to reorganise our personnel structure, redesign
our processes and prepare internal guidelines and documents as a means of verifying that our company is structured appropriately. Applicants also need a minimum
liquid equity of 500,000 euros and provide
evidence of this, for example, by means of
an audited annual report for the last three
years. In addition we need a business plan
that is in line with our new business strategy. In particular, it should show the budget
for the first three financial years and must
prove our ability to provide consumer cred-
it, even if we are not planning to offer it. We
also need to demonstrate that we comply
with all obligations relating to the Money
Laundering Act.
What changes need to be made regarding the personnel structure?
We have to set up a regulatory committee
of three or more members, all of whom have
at least three years of professional experience in the financial industry and whose
qualifications we can document for the
NBS. We also need a separate department
that audits EOS KSI’s consumer credit business and a system to assess the creditworthiness of borrowers. Moreover, we need to
install a complaints management system.
Is it done with this application?
No, the NBS can undertake checks at any
time. That is why we need to ensure that
EOS Holding permits audits of EOS KSI by
the NBS.
When that is all done, can EOS KSI then
purchase private credit?
Almost. Following a successful licence application, we have to document that we
satisfy all data security requirements.
Why is it worth it for EOS KSI to overcome such high initial obstacles?
We anticipate that the new ruling will significantly change the competitive situation in
this sector. Only big companies with broad
experiences and deep know-how are in a
position to fulfill the criteria for obtaining
the licence for private consumer credit from
the NBS. These market leaders should stay
in the market for debt purchases in the B2C
sector. In contrast, no licence is required for
fiduciary debt collection. Consequently,
competition in this area is even greater.
Michal Šoltes: The Managing Director of EOS
KSI in Slovakia wants to benefit from the new
regulations regarding debt purchases in his country
How long do you think it will be before
these changes come in?
We anticipate initial market cleansing as
early as this year. If most debt collection
companies have a licence, players thus registered will split the market among themselves.
What does that mean for EOS KSI?
As a non-bank, we certainly need to comply with additional administrative regulations to purchase consumer credit portfolios. On the other hand, the number of
competitors in debt purchase will be reduced significantly. As part of the financially strong EOS Group, we are extremely
well qualified to be able to make attractive
offers in future to anyone selling B2C receivables packages in Slovakia.
EOS Journal
9
FOCUS
DATA PROTECTION
Security trumps risk
Digitisation is progressing rapidly in business life. To make sure that sensitive data does
not fall into the wrong hands, companies must constantly adapt their security concepts.
But which measures promise genuine success?
he power of data is growing. ‘Globalisation in the 21st century is increasingly determined by the flow of
data and information’, according to a current study by the McKinsey Global Institute.
Digital data exchange already contributes
more to global growth than traditional
goods traffic. For most companies, IT has
been the heart of their business for a long
time. It is no wonder then that they not only
drive digitisation forward, but also increasingly invest in IT security. The Gartner Market Research Institute found that about 75
billion dollars were spent on cyber protection in 2015, four per cent more than in the
previous year.
Security requirements increase alongside complexity. A few years ago, a firewall
was still sufficient for many companies, that
is to say a security system which, for example, protects a computer network from
unwanted access. Today significantly more
complex solutions are in demand. ‘It is important to approach security in an integrated way, and not to simply take individual
measures,’ says Wilhelm Dolle, who is responsible for Security Consulting as a
partner of the auditing company KPMG.
cording to their importance. But what
sounds simple is not always easy in reality:
the crown jewels identified depend on the
division of a company being surveyed. A
T
Define the crown jewels
First, there is the analysis: Which data are
fundamental? ‘Companies need to define
which are their “crown jewels”. Just as the
Queen keeps these treasures securely in
the Tower, a company should protect its
most important data and systems by all
means,’ explains Derk Fischer, data security expert at the auditing company PwC.
Companies should classify their data ac-
10
EOS Journal
A closer
look:
Companies
should look at
their IT
security in an
integrated way
tried and tested method is to form a diversified group of employees who analyse the
data together.
Systematic approach
In the next stage, the security officers
should define special security guidelines
and security measures for each data type.
MORE INFORMATION
An international study by the consultancy A.T. Kearney about the golden rules
for successful information security management: http://bit.ly/22K7b2b
Security first:
Sensitive data need
optimal protection
THE MOST COMMON SECURITY MEASURES TAKEN
BY COMPANIES
MOBILE SECURITY IS A STEPCHILD
The protection of mobile data is given low
priority at many European companies. Only
21 per cent of companies surveyed embrace modern security solutions (see graphic on the right). This includes mobile end
devices like smartphones and tablets with
which employees retrieve their emails or
customer data – on a daily basis in many
companies. You can read about how companies can train their employees in handling
sensitive data from page 14.
In first place: Antivirus software, which is used in nine out of ten European companies. It
is followed by protection using firewalls and backups.
21 %
In
tru
si
th
au
33 %
Source: ESET, 2015
39 %
de
s o te c
f t w ti o
ar n
e
M
ob
ile
se
cu
rit
y
ti s
pa
ku
ac
B
58 %
en Ne
tic t w
at o r k
io
n
En
cr
yp
ti o
n
l
p
m
64 %
on
77 %
al
w
re
Fi
An
ti v
ir u
s
85 %
An
91 %
01
‘For this purpose, more and more companies rely on internationally recognised standards like ISO 27001,‘ according to Mr Dolle. The norm specifies
requirements for the implementation of
security mechanisms. The core of it is
the so-called information security management system (ISMS), which should
02
01 With system:
Define the procedure
regarding data
security
02 Keep moving:
Successful cyber
protection comes
from regular
adaptations
define, manage and monitor data security.
Mr Dolle says: ‘The central issue of an ISMS
is risk management. Experts must analyse
weak points relevant to the company and find
the correct technical and organisational
measures.’
To that end, many companies appoint a
Chief Information Security Officer (CISO) who
coordinates the different parties inside and
outside the company. ‘On the one hand, the
CISO takes care of the management and implementation of information security, and on
the other hand, sensitises employees to the
issues and collaborates with external service
providers,’ says Mr Dolle. ‘Furthermore, the
CISO has to explain to the managing director
or Board what risks are involved in IT and data
processing and how the security
EOS Journal
11
External access:
Simulations help to
uncover security gaps
THOROUGHLY SCREENED
Most companies carry out security tests, according to the results of an international
study by ISACA, the global professional association of IT experts, in 2015. Half of those
surveyed made checks at least once a year. 32 per cent even test their systems quarterly or more often.
department can minimise those risks.’ The
CISO generally reports to the company
management or to the Chief Information
Officer (CIO), that is to say the head of IT.
THE CISO’S POSITION
IN THE COMPANY
A direct line to the Board of Directors? The Chief
Information Security Officer (CISO) reports …
… to the IT Manager
beneath the CIO 7 %
… to the management/
Board of Directors 47 %
… to the CIO 46 %
More than half (7 plus 46 per cent) of the
CISOs surveyed stated that they report to an
officer in the IT department.
Source: A.T. Kearney analysis
12
EOS Journal
An international study by management
consultancy A.T. Kearney shows that 53
per cent of the CISOs surveyed report to
the IT department (see graphic on the left).
At the same time the study suggests, however, that CISOs who are directly subordinate to the Board of Directors or company
management work in more successful
information security departments. It is
therefore worth making IT security a management matter.
Regular stress tests
It is also important to regularly check the
systems with stress tests that reconstruct
unauthorised intrusion by attackers. EOS
also carries out continuous security
checks.
‘With the aid of external service providers, we simulate external attacks to check
whether our systems are secure,’ says
Gunnar Woitack, who is responsible across
the EOS Group for information security
(see interview on page 13). ‘In doing so,
the commissioned specialists try to find a
weak point in the systems online.’ Companies have to stay a step ahead to maintain
successful cyber protection.
Wilhelm Dolle
Partner at
KPMG
It is important to
approach IT security in
an integrated way and
not just to take individual
measures.
FOCUS
INTERVIEW
‘We are advocates for
information security’
A new information security guideline has been in effect in the EOS Group since 2015. Chief Information Security
Officer Gunnar Woitack explains what the protection of sensitive data involves.
How do companies organise themselves
today to protect sensitive data in the
best possible way?
Overall, the significance of information security has risen sharply in recent years. Positions are created for specialists who ensure
that the possible risks which could lead to a
loss of confidential data are continuously
and systematically recorded and analysed.
This creates a level of protection which is
not accidental, but rather tailor-made for the
interests of the particular company.
A new information security guideline has
applied for the EOS Group since last
year. What are the most important aspects?
At EOS we have a very close eye on information security. After all, it is our daily business to handle sensitive debtor and customer data. The new guidelines from our
parent company, Otto Group, once again
sharpen the focus on the subject throughout the group of companies. Among other
things, it calls for the establishment of an
Information Security Management System
(ISMS) in each company. The purpose of
the ISMS is to continuously and systematically deal with information security risks.
An important element of the ISMS is the
appointment of the Information Security
Officer (ISO) in each subsidiary. This ISO
is, so to speak, the advocate for information
security in the company. He carries out risk
analyses regarding information security and
coordinates possible counter-measures
with the Board of Directors. The final decision always lies with the Board of Directors,
since they remain responsible for information security. The ISO is integrated in all
relevant processes within the company, so
and then report to the Board of Directors of
the EOS Group.
Gunnar Woitack: Chief Information Security
Officer of the EOS Group
that he can already have an influence in
early phases.
You have assumed the newly defined
position of Chief Information Security
Officer (CISO). What are your main
tasks?
As CISO, I coordinate the information security matters in the entire EOS Group. The
first stage is to explain the new guideline
across the Group and to ensure that each
company appoints an ISO. I advise the local
ISOs in all questions of information security,
in particular on the implementation of the
new guideline. There is a specialist reporting
channel from the currently 31 ISOs in the
EOS Group to me. I consolidate the reports
What do you do specifically at EOS to
guarantee the security of information?
Unauthorised external access to data is
becoming increasingly complex. These
methods of attack, referred to as Advanced
Persistent Threads, require extensive protective systems which combine information
from different separate security systems
and can find connections between them.
At EOS we watch conspicuous transactions
very closely. With logging and monitoring,
we observe access to relevant data. We
have inserted fraud patterns into our monitoring software for this purpose. If particular patterns appear, the system automatically sounds an alarm. Besides these
specific security measures, it is essential
that we inform and train employees too.
What are the consequences of the
guidelines for the individual EOS companies?
Besides establishing an ISO, the companies
must ensure that their workforce is regularly trained in so-called ‘awareness measures’, which are meant to increase employees’ awareness of information security.
Furthermore, the ISO should be involved in
internal processes such as the addition of
new software functions or changes to the
IT infrastructure. For its part, the Board of
Directors is to ensure that the required human and financial resources are available.
Our IT security concept is a made-to-measure package which offers the entire EOS
Group – and therefore all of our clients and
their customers – the best possible data
and information protection.
EOS Journal
13
FOCUS
SECURITY AWARENESS
Internal security
Technical measures alone are not enough to guarantee IT security in companies.
Just as important are employees, who contribute to the protection of information.
igns in the toilets at the Pentagon
warn government employees about
having official discussions at the
sinks with the notice ‘This is not a secure
conference room’. At least that's the story
among security experts. It may sound farfetched at first, but it really is not.
Authorities and companies often make it
easy for unauthorised persons to gain access to internal information. The people
factor plays a central role. According to a
survey by the e-mail messenger AppRiver,
70 per cent of the European companies
surveyed see people as the weakest link
in a company’s security strategy. This does
not mean the intentional abuse of data.
Far more often it is ignorance and thoughtless handling of information which cause
leaks in the IT security system.
S
A question of communication
Some companies have a lot of catching up
to do. In the USA, for instance, 32 per cent
of companies take no measures to train
their employees about how to handle sensitive information. In the UK the figure is
41 per cent, and in Germany it is even 75
per cent, as shown in surveys.
Knowledge about issues relevant to
security is accordingly poor: Only 37 per
cent of Germans stated that they are familiar with the regulations. In 2011 the
figure was still 45 per cent according to
the initiative ‘Germany safe online’ (DsiN).
The reason: While IT knowledge has stagnated, the systems and therefore the IT
requirements have become increasingly
complex. Many employees simply feel
overwhelmed, summarises DsiN. This is
14
EOS Journal
Mathias
Gärtner
National initiative for
information and
internet security
NIFIS
Management
should constantly
push forward
information
security.
where training measures, known as 'security awareness methods' for employees
come into action.
How important these are is also reflected in international information security standards, such as ISO 27001, which
requires the ‘imple mentation of training
and awareness creation programmes’ as
relevant aspects for certification.
‘Management should constantly push
forward the protection of information,’
says Mathias Gärtner, director of the ‘national initiative for information and internet security’ (NIFIS). When information
protection is positioned high in the hierarchy, its importance is clear to the company and to every employee. Ultimately
the security precautions also change
daily working life, says Mr Gärtner, who
also advises the German Federal Ministry for Economic Affairs and Energy.
The attackers’ tricks
Standard training programmes and informational pamphlets are not enough to
raise employee awareness to this sensitive subject. ‘For smaller companies
which do not have the required expertise
themselves, it can make sense to bring
in external consultants,’ says Mr Gärtner.
Provided that the company actually
grades its data as sensitive and worthy
of protection.
At security awareness workshops, the
employees are shown examples of how
easy it is to become the victims of cyber
criminals. An overly simple password, a
tampered USB stick, a virus hidden in an
email attachment – attackers often use
RUBRIK
Say no more:
Liberal handling of
information can
become a problem for
companies
Mobile awareness:
Encryption makes
access harder for
unauthorised persons
relatively simple methods to crack security
barriers. ‘Cyber criminals act economically,’
explains Mr Gärtner. ‘They attack where expenditures are lowest. Companies must
therefore try to increase the time and effort
required for attacks.’ The right technology,
and above all employees who are aware of
the risk, help here.
THE THREE MOST
COMMON MISTAKES
WHEN HANDLING
SENSITIVE DATA
E-mails: Most viruses and Trojan
horses reach company computers
through spam e-mails.
THE GREATEST RISKS
For 18 per cent of companies, carelessness
by employees poses the greatest risk to IT
security.
Careless employees
18 %
15 %
Dated security systems
Secure mobility
With the expanding use of mobile devices,
it is increasingly difficult for IT departments
to guarantee security. This is particularly
the case if employees work on their private
smartphones or laptops. Insecure end
devices have access to secure data and
prompt a veritable feeding frenzy for
cyber criminals. A solution is to have data
encrypted by the IT department also on
private devices and above all to protect
them from external attacks if the device
is lost.
Laziness: Only one (often too simple) password for all applications
or the use of officially prohibited
USB sticks – employees often
defy applicable security standards.
Trustfulness: Attackers pass
themselves off as employees over
the phone and gain access to sensitive information.
10 %
Unauthorised access
10 %
Cloud services
Mobile devices
Social media
9%
6%
Source: EY
Info http://bit.ly/1YfwL9C
Global Information Security Survey
2015 by EY
EOS Journal
15
PANORAMA
MARSEILLE
Raw beauty on
the Mediterranean
Although it once had a notorious reputation, Marseille is now considered one of the
most fashionable cities in France. Caroline Soriano, Head of Recruitment and Training at
EOS Credirec, invites you to take a tour of the port city.
irst work, then pleasure: visitors must climb
around 200 steps before they reach the base of
Notre-Dame de la Garde. They are then rewarded with what is probably the most beautiful view of the
city. In addition to the ochre-coloured alleyways, the
old port, and the small islands along the coast, they
can see a series of futuristic buildings next to the water tower. This is the site of a gigantic urban development project. The opposite mountain is home to the
‘Bonne Mère’, as it is called by the people of Marseille.
It is embedded deep in the tradition of this city of
F
Mediterranean fjords:
White limestone and
turquoise water in the
Calanques
16
EOS Journal
850,000 people. The basilica is considered a protector
of sailors and fishermen. Model ships dangle from the
ceiling, and on the walls, votive plaques commemorate
the happy return of sailors from storms and tempests.
The mosaics on a golden background are particularly
beautiful.
Fishermen and flâneurs
‘A must for visitors is the old port, the centrepiece of
the city,’ says Caroline Soriano, Head of Recruitment
and Training at EOS Credirec. Both amateur sailors and
Yachts and fishing boats:
The old port lies in the
middle of the city
Protection for
sailors: Notre-Dame
de la Garde, which is
referred to as the
‘Bonne Mère’ by the
people of Marseille,
watches over the city
Château d’If:
The prison island from the
‘Count of Monte Cristo’
Luxurious soup:
Bouillabaisse
includes various
types of fish
EOS CREDIREC
In 1993, EOS Credirec was founded as Credirec SAS in Paris. The EOS Group
took over the collections specialists in 2011. In addition to receivables management, the company, which has branches in Nantes and Pau, offers debt purchase,
international debt collection, and skip tracing, the search for debtors who have
moved to unknown locations.
the jet set drop anchor here. They meet for
dinner or stroll along the water. In the morning, fishermen sell their catch on the wharf.
Whether chef or tourist, you can find the
freshest seafood in the city. Some of it
makes its way to the best fish restaurants
in Marseille, which are just around the corner. At lunchtime, the aroma of garlic mixes
with the salty air and whets the appetite.
From the old port, ferries sail to the nearby Frioul Islands. ‘One of these is home to
the Château d’If, which is certainly worth a
visit,’ says Ms Soriano. It was built as a fortification in the sixth century but was soon
transformed into a prison. The site achieved
fame as a setting in ‘The Count of Monte
Cristo’ by Alexandre Dumas.
Bouillabaisse and colourful boats
If you would like to experience more Mediterranean atmosphere, Ms Soriano recommends taking a 30-minute tour on the ‘La
Corniche’ promenade. ‘This includes a rest
Caroline Soriano
Head of Recruitment and
Training at EOS Credirec
Caroline Soriano has been working at
EOS Credirec for 19 years. She is
responsible for training within the
company. In her free time, the native
Corsican enjoys bargain hunting at flea
markets and in vintage shops.
in the small port of Vallon des Auffes. For
lunch, guests can enjoy bouillabaisse, the
typical fish soup of the region.’ The restaurant ‘Chez Fonfon’ offers diners an exceptional bouillabaisse and a beautiful view of
the fishermen’s houses and the colourful
boats (see tips on page 19). The St Victor
Abbey, which was built in the fifth century,
also lures visitors. For over 1,500 years, the
medieval building with two fortified towers
and massive walls was one of the most important centres of Catholicism in the south
of France.
Baked according to a secret recipe
Do you crave something sweet? Not far from
the abbey at 136 Rue Sainte, you can find
the ‘Four des Navettes’ confectionery, which
offers the pastries of the same name. The
family company and self-proclaimed oldest
bakery of the city has been guarding the
recipe of its Navettes for over 200 years.
One ingredient, however, is not secret.
EOS Journal
17
Contemplative:
In the small fishing port of Vallon
de Auffes, you can catch a
glimpse of the region’s origins
ON THE MOVE:
GOOD TO KNOW
FOOD AND DRINK
For centuries, Marseille, the ‘Gate to the
Orient’ has been a port of call for people of numerous cultures. This is also
reflected in the cookware. Provincial
cuisine meets North African, Spanish,
Italian, and Armenian influences. Probably the most famous speciality is
bouillabaisse. Once considered a dish
for the poor, it is now prepared in top
restaurants according to rules established in the 1980 Bouillabaisse Charta.
ACCOMMODATION
You can find accommodation to fit any
budget: ‘La Résidence du Vieux Port’
is particularly beautiful, although this is
reflected in the price. It features a magnificent view of the old port and a delectable breakfast (www.hotelresidence-marseille.com, double room
starting at EUR 185 per night). Considerably less expensive is the rustic
‘Maison du Petit Canard’ bed and breakfast in the old Panier quarter (http://
maison.petit.canard.free.fr, double starting at EUR 70 per night).
GETTING AROUND THE CITY
With the City Pass, visitors can use all
buses, subways and special tourist
trains. The City Pass also includes admission to many museums and the boat
trip to Château d’If. The 24-hour ticket
can be obtained from the Tourism Office for EUR 24.
DESTINATIONS
To the east of the city, the Calanques
await. Steep walls of white stone fall
into the turquoise sea and form fjordlike bays. Tip: Hiking guide Jean Marc
Nardini can take visitors on a three-hour
tour through this unique ecosystem.
Bookings are possible under
decouvertecalanques@sfr.fr. Those
who would prefer to experience the
beauty of the Calanques from the water
can board a pleasure boat from the old
port of Marseille.
18
EOS Journal
The little boats, which are meant to be
reminiscent of the Bark of Saint Lazarus,
are flavoured with orange blossom water.
Splashing on the roof
Ms Soriano’s special tip for aficionados of
unusual architecture is to visit to la Cité
Radieuse (the radiant city), which was designed by the famous Swiss architect, Le
Corbusier. At first glance, the city seems
gigantic and unwelcoming; however, upon
closer inspection, the complex reveals itself to be a perfectly thought-out living
space. The building, which was completed
in 1951, features 300 flats, which were
considered to be exceptionally comfortable and modern at the time that they were
built. A library, a bar, a restaurant and a
hotel all provide ample space for meetings.
On the rooftops, children can splash about
in paddling pools and romp around in different play areas.
‘Five days a week, the tourist information office organises tours through this
architectural monument,’ says Ms Soriano,
‘and visitors can experience its special
appeal’. La Cité Radieuse combines many
attributes that also describe the city of
Marseille itself. Although at first they may
appear to be somewhat bulky, rough and
unpretentious, both reveal a fascinating
beauty underneath.
Information
www.marseille-tourisme.com
01
02
03
01 Sweet tradition:
The famous Navette
pastries
02 Building history:
La Cité Radieuse by Le
Corbusier
03 Mosaic art:
Inside Notre-Dame de
la Garde
PANORAMA
MARSEILLE FOR EXPLORERS
HOTSPOTS
CHEZ FONFON
The family restaurant on the picturesque port of Vallon des Auffes has been serving local specialities since 1952. Far beyond the
borders of the city, the bouillabaisse is known as the best there is. Although it is a bit pricey, it
is certainly worth it.
www.chez-fonfon.com
Cultural network:
The new MuCEM perfectly combines
the historical with the modern
MUCEM MUSEUM EXPERIENCE
The first national museum outside of Paris is dedicated to the fascinating presentation of the cultural history of the Mediterranean. The special architecture
of the MuCEM alone is worth the visit. The building, which is located directly on
the old port, is encased in a delicate network of concrete. www.mucem.org
IN ANISETTE HEAVEN
On the shelves of Maison du Pastis,
you can find 75 varieties of the
popular anisette. Many are specialities from the region and always
make for a good souvenir.
www.lamaisondupastis.com
KING AMONG CHEFS
Christian Buffa, head chef at La
Miramar, the restaurant on the old
port that is as chic as it is pricey,
offers courses on how to prepare
the perfect bouillabaisse.
www.bouillabaisse.com
LES ARCENAULX
Here you can find exquisite cuisine in an elegant atmosphere.
This is also a favourite for many
locals. Along the walls are countless bookshelves, which are reminiscent of a dignified library.
www.les-arcenaulx.com
LA CARAVELLE
A touch of port atmosphere: The
bar is sure to impress with its terrace featuring a view of the old
port and live music plus a good
selection of wines and anisettes.
www.lacaravellemarseille.com
MANON MARTIN
This atelier is all about head wear.
Customers at 10 Rue de la Tour
are spoiled for choice with elegant summer hats, novel party
creations and opulent wedding
models. The atelier also offers
jewellery, scarves, and bags.
www.manonmartin.com
UN ÉTÉ EN VACANCES
The T-shirts and sweaters with
fish motifs and clever sayings
make for good souvenirs. The
shop is located at 7 Rue Bailli de
Suffren.
www.uneteenvacances.com
THE MAGIC OF FOOTBALL
Since 2014, the Vélodrome had a new
sheen. Normally the home to the Olympique de Marseille team, the stadium
will be the site of UEFA Euro 2016
matches this summer.
www.om.net
FRAGRANT THINGS
Marseille is considered a stronghold of soaps. At Savonnerie de la
Licorne, you can find handmade
pieces in many shapes and colours.
www.savon-de-marseillelicorne.com
BOOK RECOMMENDATION
Three times the excitement: The
Marseilles trilogy by Jean-Claude
Izzo gives insight into the way of
life and the complex problems of
the city.
www.europaeditions.com
EOS Journal
19
Receivables management
Liquidity management
Information management
To be successful, you need both: positive figures and an understanding of difficult
situations from the customer’s point of view. This belief is reflected in our guiding principle:
‘EOS. With head and heart in finance’. This principle flows through to our work for your company.
Our receivables management services improve your liquidity. We adopt a cooperative approach
when dealing with your defaulting customers during the debt collection process, working with
them on an equal footing in order to find solutions that satisfy all parties involved. By taking
this approach, we ensure that your balance sheets add up and that your business relationships
remain on an even keel. Find out more about our services at www.eos-solutions.com
With head and heart in finance