Vodafone 2024 Annual Report

47 Vodafone Group Plc Annual Report 2024

Strategic report



Other information

New technologies and industry collaboration We adopt new technologies to better serve our customers and gain operational efficiency. For every technology programme, new or existing, we follow our Secure by Design process, evaluating suppliers’ hardware and software, modelling threats and understanding the risks before designing, implementing and testing the necessary security controls and procedures. Mobile networks Every new mobile network generation has brought increased performance and capability, along with new opportunities in security. As we deploy 5G core networks alongside our 5G radio networks, often described as 5G Standalone, we have updated our security standards to implement the latest 5G features in our core networks. We also test security in our radio networks using independent third-party testing companies. OpenRAN is a new way of building and managing radio access network (‘RAN’) components within telecommunication infrastructure. Instead of purchasing all the components from one supplier, we use hardware and software components from multiple vendors and integrate these via open interfaces. Over time, this will create a more competitive landscape for telecommunications equipment. We continue to collaborate with other players in the OpenRAN ecosystem to improve security. This includes adding requirements to the OpenRAN specification, publishing internal security standards, and benchmarking vendors against these. The first OpenRAN sites are now live in the UK, Romania and DRC. Quantum computing We are preparing for a time when quantum computing is available at scale. Through our joint research with IBM, we have developed a risk-based approach to mitigate the risks of existing cryptography, which could be more easily broken by a quantum computer. We are identifying potential quantum vulnerabilities, defining supplier requirements and developing the ability to update our cryptography when new threats emerge. Vodafone also co-chairs the telecommunications industry-wide task force on this issue. Artificial intelligence (‘AI’) We take the responsible use of AI seriously and seek to balance the opportunities and risks associated with AI, and more recently generative AI (‘Gen AI’). Teams from across the business are collaborating under the governance of a global AI governance board which agrees policy, mitigates threats, identifies and selects use cases for implementation. Read more about AI governance on page 46 We are experimenting with public and private Large Language Models (‘LLMs’) to support a range of potential business cases. To date, two private versions of models have been reviewed and approved though our Secure by Design process. To reduce the risks of misuse, we limit access to specific public LLMs. We have developed an awareness programme and updated our guidance and policies to make it clear to our employees what data must not be shared in a public AI model. We have defined requirements for internal LLM application development including risk assessment, designing for transparency, lack of bias and providing the right degree of human oversight of results. If the AI model could have a high impact on people, we require a human to have input on the final decision. We are also investigating the use of AI to augment our cyber security processes. The first proof of concept is a cyber security chatbot which can answer employee questions on cyber policies and standards. We are also part of cross-industry forums which collaborate on telcommunication-specific AI use cases, including threat detection, investigation and response.

Industry collaboration We actively engage with stakeholders across industry, with regulators, standard-setting bodies and governments. Collaboration is vital to respond to threats, protect our organisation and workforce, and build safe online and digital spaces for customers and society. We use our expertise and experience to engage with a wide range of organisations to help improve the understanding of cyber security thinking and practice, and contribute to public policy, technical standards, information sharing, risk assessment, and governance. For example, we have engaged in cross-industry collaboration through the European Round Table, where we chair the CISO committee. We have an appointed member on the National Cyber Advisory Board in the UK. We also collaborate with other telecommunication companies, and actively engage in security standards working groups such as ENISA 5G Cyber Security Certification, O-RAN Alliance Security Focus Group and GSMA Fraud and Security Group. Risk management Identification of vulnerabilities and risks Cyber attacks are part of the technology landscape today and will be in the future. All organisations, governments and people will be subject to cyber attacks and some will be successful, leading to security incidents. The telecommunications industry is faced with a unique set of risks as we provide connectivity services and handle private communication data. As a result, cyber security is one of Vodafone’s principal risks. A successful cyber attack could cause serious harm to the Company or its customers, including unavailability of services or a data breach leading to disclosure or misuse of customer personal data. The consequences could include, but are not limited to, exposure to contractual liability, litigation, regulatory action, or damage to the company’s reputation and brand and loss of market share. In the worst case, the cyber security incident could cause material financial impact to the Company. There is increasing regulatory focus on cyber security and requirements for telecommunications providers to improve their cyber security practices. The Company is subject to GDPR and equivalent legislation in many countries in which it operates. In addition, there are cyber focused local laws and regulations, for example in the UK with the Telecoms Security Act. A cyber incident may therefore lead to regulatory fines and other enforcement activities if deemed to be due to inadequate security. Measures to meet these laws and regulations will also result in increased compliance costs. We dedicate significant resources to reducing cyber security risks, however due to the nature of the threats, we cannot provide absolute security and some cyber security incidents will occur. Risk and threat management are fundamental to maintaining the security of our services across every aspect of our business. We separate cyber security risk into three main areas of risk: – External: A wide variety of attackers, including criminals and state- backed groups, target our networks, systems and people using a range of techniques and procedures. They seek to gain unauthorised access to steal or manipulate data or disrupt our services. Geopolitical factors also increase the threat of an external attack; – Insider: Our employees may accidentally leak information or maliciously misuse their privileges to steal confidential data or to cause disruption; and – Supply chain: We only have indirect control over the cyber security of third-party service providers, limiting our ability to defend against cyber threats to these third parties. Such attacks, if successful, could cause services to be unavailable or enable a data breach to occur. To help us identify and manage emerging and evolving risks, we constantly evaluate and challenge our business strategy, new technologies, government policies and regulation, and cyber threats.

Powered by