As Arbonia, we can only maintain information security together with our employees. Our aim is to protect the operating activities and competitiveness of the group against successful attacks. Otherwise, considerable damage can result for us as a company and for our customers through cyber attacks. These range from the loss of employee and customer data to a complete production standstill including high ransom demands.

For this reason, we as Arbonia have accelerated the expansion of the information Security Management System, which contains a holistic security programme. In addition, further guidelines have been issued, for example, on general IT security, password security, or the information security requirements for third parties. The security awareness programme helps employees successfully recognize real threats and potential attacks in both their business and private lives and to react to them correctly, in accordance with the motto "THINK BEFORE YOU Click.Post.Type". Various KPIs give Arbonia an overview of the implemented security measures. Stakeholders are involved in the further development of the IT security architecture through regular user surveys.

The responsibility for the information security of the entire Arbonia Group basically rests with the Chief Information Security Officer and the IT Board, which consists of the Group CIO, the division CIOs and the Group CFO as well as IT representatives of both divisions and the Group. The relevant topics are always coordinated with the division officers and Group Management. For implementing individual measures, the local IT teams and ICT security specialists provide support as interfaces to the sites and companies.

Together for more IT security

The employees of Arbonia are a central link in the security chain in the area of cybersecurity and must assume the corresponding responsibility. The most common attack tool for cyber attacks is e-mail – followed by social engineering (manipulation or influencing of a person) and the Internet. For this reason, it is extremely important to recognise, avoid and report suspicious sources.

Through targeted measures to strengthen so-called cyber resilience, we as Arbonia try to reduce the risk of successful cyber attacks to an absolute minimum. The Group pursues an integrated security approach with technical measures, processes, guidelines and standards, the compliance to and implementation of which is checked by the Chief Information Security Officer and his or her team on the Group level. Cyber attacks of any kind must be recognised early on and repelled. Accordingly, employees are increasingly being trained and made aware of this topic. The integrated security approach in the framework of the information security strategy is continually reviewed using audits and penetration tests. Cyber risks are an integral part of the risk management process and thus also the risk transfer to insurance.


The security awareness campaigns under to the motto "THINK BEFORE YOU Click.Post.Type" contain various measures. In this context, employees are regularly invited to participate in various awareness and training units, whereby more in-depth training courses are pursued specially for IT administrators and other exposed persons. These courses provide information on the secure handling of data as well as information systems and aim to make everyday life more secure. The participation rate was 68% in the reporting year (previous year: 58%) and should increase to 100% by 2025.

On the basis of a high cyber resilience and e-mail security, Arbonia’s general objective is not to experience any safety-critical incidents and thus ensure a permanently smooth course of business. For this purpose, the results of the attack simulations are used to strengthen the resilience. To control security, cyber maturity is also measured on the basis of defined standards. Further key figures are collected via SIEM incidents (security information and event management) for all companies and are used to improve cyber defence. In this process (malicious) incidents and the reaction to them are continually recorded. The management system classifies these incidents according to their type and severity and evaluates the defence measure according to filter functions and existing use cases. As a further protection level, a project for NDR (network detection response) has been implemented.