Vodafone 2024 Annual Report

Purpose (continued) 50 Vodafone Group Plc Annual Report 2024

Strategic report



Other information

During the year, the Board formed a Technology Committee which assists the Board by overseeing how technology underpins company strategy. Cyber security was discussed in the first meeting of the Committee, covering the changing business, technology and cyber threat landscape.

The Cyber Code The Vodafone Cyber Code has been designed to simplify and explain basic security controls and procedures to all employees. The Cyber Code is embedded in our Code of Conduct and is the cornerstone of how we expect all employees to behave when it comes to best practice in cyber security. It consists of seven areas where employees must follow good security practice. Click to read more about Vodafone’s Cyber Code in our Code of Conduct: vodafone.com/code-of-conduct Threats and incidents Threat landscape and intelligence An important part of our operating model is to gather intelligence and insights about threats. The cyber threat landscape continues to be volatile across all sectors, with wide-ranging threat actors. Our cyber security team use industry and external analysis to help shape our controls and procedures, and drive actions. When specific vendor or new high impact vulnerabilities are reported, we drive global remediation across Vodafone. Geopolitical instability, conflict and tensions often lead to an increase in cyber threats from state-backed and criminal threat actors. This can lead to disruption, data theft and integrity compromise. Cross-industry and government collaboration is vital. Ransomware and data extortion attacks are common to companies of all sizes. The threat is increasing. Based on public reporting, some companies are paying ransoms, aggravating the threat. Attackers are increasingly trying to log in, rather than hack in. As such, social engineering methods are a common means for attackers to gain access. Emerging technologies such as AI will enhance techniques such as voice phishing and deep fakes. Harvested credentials continue to be sought and shared by threat actors. Attackers can target executives following media announcements and public reporting. The speed of vulnerability exploitation is very fast, with a trend for targeting internet-facing software. In 2023, the European Commission highlighted the number of supply chain attacks in Europe has tripled. Supplier attacks against all sectors are likely to increase in the coming year. We anticipate threats will continue from existing sources, as well as evolving in new technology areas such as AI and quantum computing. Cyber operations and incidents As a global connectivity provider, we see a range of cyber threats. We use our layers of controls to identify, block and mitigate threats and reduce business or customer impact. Our global security operations capability handles trillions of events and logs from sensors across our footprint, detecting potential threats and events. Low severity issues are dealt with quickly, for example by malware containment or isolating an individual device. More significant events are triaged to our 24/7 incident management and response team. We operate a single global team and capability. Where a security incident occurs, we have a consistent incident management framework to manage our response and recovery. The focus of our incident responders is always fast risk mitigation and customer security. In the event of a cyber breach, disclosure is made to the relevant authorities in line with local and global regulations and laws and a risk assessment considering the impact on customers. This may include law enforcement as well as regulators. The European Union’s GDPR provides a framework for notifying customers in the event there is a loss of customer data because of a data breach, and this framework is a baseline across all our markets. Our data privacy officers are a key part of the response where incidents impact personal data. We will also notify the SEC if an incident is deemed material.

Read more about the Audit and Risk Committee’s oversight of cyber security on pages 89 to 94

Click or scan to watch the Chair of the Technology Committee talk more about his role

Culture, training and awareness Training and awareness

Our cyber security awareness approach is to educate our employees to protect themselves and our customers from cyber threats. Cyber security training is mandatory as part of our Doing What’s Right programme. The training module is designed by the cyber security team to inform employees of key threats and how to avoid them. The cyber leadership team are actively involved in shaping the approach and in specific employee communication. The corporate security function lead on all employee security training and they deliver the programme and materials. Mandatory training runs every other year with a short refresher and knowledge check in the intermediate year. If the knowledge check is failed, the employees are required to retake the full cyber security training module. During the year we launched a training manual for contractors, so they also receive the same level of awareness. Training on cyber security is also included in our induction process for new employees. We track completion rates to ensure every employee completes mandatory training when assigned. Read more about our approach to mandatory Doing What’s Right training on page 44 Cyber security training is reinforced by regular digital communications delivered via our internal social media platform, through videos and webinars. We respond to threats with specific targeted advice, such as the use of multi-factor authentication and reminders to not share credentials. We perform phishing simulations across all markets and functions to raise awareness and train employees. We target at least two exercises per market or function per year. We also run multi-market simulations to allow us to compare responses consistently – in the most recent exercise we sent over 100,000 1 emails to nine 1 European markets and Group functions. Those who click on the link in the phishing message or share their credentials receive immediate training. We are now rolling out this multi-market approach to our African markets. We also provided focused training for our Executive Committee. This year, we covered social engineering threats, use of social media, travel to high-risk countries, using devices securely and how to share confidential information safely. The training materials were cascaded to their teams by ExCo members. We have continued to undertake incident simulations for local executive committees, most recently for Greece. The simulations provide CEOs and their teams a realistic and tailored experience of managing a cyber incident and exercising their responsibilities in accordance with our common approach. Growing our skills We enable employees in our cyber teams to maintain and grow their skills to better protect our customers. Our company learning platform hosts cyber training on technical topics, platforms and frameworks. Employees can study towards recognised information security and cyber certifications aligned to their learning plans. Since 2020 we have organised twice yearly cyber connect events for our entire global cyber security team. The events include a recap of our strategy and achievements, messages from senior leadership, external industry speakers, collaborative breakout groups and technical track sessions to learn about cyber topics and best practice. We use technology to enable a hybrid experience with some attending in offices and some remote.

Note: 1. Includes Vodafone Italy and Vodafone Spain.

Powered by