Published 31. Aug. 2017
Dutch Engineering Company Remeha Takes a Strategic Approach to Information Security
Many companies continue to rely on an ad-hoc, reactive approach to secure their critical information. But considering the quickly evolving threat landscape and with new regulations and compliance requirements, this approach is no longer viable. Remeha, a specialized Dutch manufacturer of central heating systems, thermostats and solar boilers, recognized it needed to change its existing information security practices.
Remeha has over 400 employees and emphasizes innovation, quality and service in its market approach and product development. The company is part of the BDR Thermea Group, which is active in 82 countries worldwide. From its headquarters in Apeldoorn, the Remeha serves customers in the Netherlands, Belgium and Germany. Until a few months ago, the company relied mainly on antivirus software running on its 400 workplace PC’s for cybersecurity. But in 2015, realization grew that more was needed to ensure effective security. The company’s management issued a directive stating the need to formulate and implement a comprehensive plan for information security.
According to Kees Blom, IT manager Benelux for Remeha, this was the start of a journey towards a strategic approach for protection the company’s information. ‘Our management realized that information security is a topic that requires a thorough strategy and clear policy, instead of just antivirus. And that takes more than just picking a new security solution. First, we needed to document our procedures, map out the risks and compile a thorough inventory of our business information. The next step was determining how to best secure that information. And from that we could look to find the best tooling for the job’, says Blom.
Remeha asked Dearbytes, its existing security partner, to support them in this project. And from the start, the collaboration went smoothly. “We needed a plan for a well thought-out security policy that matched our specific situation. For example, as a leading manufacturer of central heating systems we have to comply with several ISO standards. The current ISO norm concerning security will be updated in 2018, focusing more on a risk-based approach. Together, we formulated an approach that aligns with the upcoming IS0 9000 standard, aimed at mapping out and reducing risks. And based on the outcomes of this approach we will then implement the appropriate measures.’
In March of 2017, the proposed plan was presented to Remeha’s management. Blom: ‘Our presentation outlined the challenges we faced and the proposed solutions, in clear and understandable language. This ensured our key messages came across, and the proposed strategy and policy was quickly approved by our management. And the policy-based nature of the plan also really pointed the way to the next steps. We can now quickly determine what are the best type of tools to help strengthen our security, how to best implement security monitoring and which solutions are the best for the job.’
The inventory of existing procedures and compliance checks also pointed out that Remeha had some way to go become fully compliant with Dutch laws concerning privacy protection. So this is one the first jobs that will be tackled, for instance by implementing effective monitoring. ‘Our first task is to implement a broad security monitoring solution using SIEM (Security Information and Event Management). This will allow us to closely monitor network activities and prevent possible data leaks. As security monitoring is a complex task requiring specific expertise, we won’t be doing this ourselves will outsource to our security partner.’
Remeha is also considering upgrading its current antivirus products with and integrated endpoint security solution. ‘Modern endpoint security solutions feature a far more integrated approach, linking several security components so they can be managed better. A fully integrated solution really is the only way to effectively manage and monitor all the different security tools in our organization. And an effective antivirus solution that stops malware goes a long way towards reducing our risks’, states Blom.
A final focus area for Remeha is to increase employee awareness around information security. ‘We will include everyone within the organization in our internal communications around security, because each and every employee has a responsibility and has a part to play’, says Blom.
Concluding, Blom states: ‘Effective information security requires more than just buying products and technology. It all hinges on a strategic plan and clear and comprehensive policy, and then finding the products and solutions that best support this strategy’.