9
Culture, training and awareness
Vodafone Group Plc Cyber Security Factsheet 2024
Introduction
Strategy
Risk management
Our operating model
Threats and incidents
Compliance
Threats and incidents Threat landscape and intelligence An important part of our operating model is to gather intelligence and insights about threats. The cyber threat landscape continues to be volatile across all sectors, with wide-ranging threat actors. Our cyber security team use industry and external analysis to help shape our controls and procedures, and drive actions. When specific vendor or new high impact vulnerabilities are reported, we drive global remediation across Vodafone. – Geopolitical instability, conflict and tensions often lead to an increase in cyber threats from state-backed and criminal threat actors. This can lead to disruption, data theft and integrity compromise. Cross-industry and government collaboration is vital. – Ransomware and data extortion attacks are common to companies of all sizes. The threat is increasing. Based on public reporting, some companies are paying ransoms, aggravating the threat. – Attackers are increasingly trying to log in, rather than hack in. As such, social engineering methods are a common means for attackers to gain access. Emerging technologies such as AI will enhance techniques such as voice phishing and deep fakes. Harvested credentials continue to be sought and shared by threat actors. Attackers can target executives following media announcements and public reporting. – The speed of vulnerability exploitation is very fast, with a trend for targeting internet-facing software. – In 2023, the European Commission highlighted the number of supply chain attacks in Europe has tripled. Supplier attacks against all sectors are likely to increase in the coming year. We anticipate threats will continue from existing sources, as well as evolving in new technology areas such as artificial intelligence and quantum computing.
Cyber operations and incidents As a global connectivity provider, we see a range of cyber threats. We use our layers of controls to identify, block and mitigate threats and reduce business or customer impact. Our global security operations capability handles trillions of events and logs from sensors across our footprint, detecting potential threats and events. Low severity issues are dealt with quickly, for example by malware containment or isolating an individual device. More significant events are triaged to our 24/7 incident management and response team. We operate a single global team and capability. Where a security incident occurs, we have a consistent incident management framework to manage our response and recovery. The focus of our incident responders is always fast risk mitigation and customer security. In the event of a cyber breach, disclosure is made to the relevant authorities in line with local and global regulations and laws and a risk assessment considering the impact on customers. This may include law enforcement as well as regulators. The European Union’s GDPR provides a framework for notifying customers in the event there is a loss of customer data because of a data breach, and this framework is a baseline across all our markets. Our data privacy officers are a key part of the response where incidents impact personal data. We will also notify the SEC if an incident is deemed material. We classify security incidents on a scale according to severity, measured by potential business and customer impact. The highest severity category of event is called Severity 0 down to the lowest Severity 4. Severity 0 corresponds to a significant data breach or loss of service caused by the incident. If a Severity 0 incident occurs, we notify the Executive Committee, the Board and external auditors and provide regular updates. A crisis group is formed composed of relevant senior management who oversee the response.
SEC requirements have been incorporated into our incident management process. In the event of a Severity 0 incident, the Disclosure Committee (composed of the CFO and General Counsel) would decide if a UK market disclosure is necessary for materiality reasons, that would also trigger disclosure to the SEC. In the past two financial years, no incidents have been Severity 0. In FY22 we experienced one Severity 0 in Vodafone Portugal in February 2022 and in FY21 we experienced one Severity 0 incident at Italy Ho. Mobile in December 2020. Details of these two previous disclosures are in our FY23 Cyber Security Factsheet. These incidents did not have a material impact on the Company’s business strategy, results of operations or financial condition. Whilst overall incident volumes have remained stable, a higher proportion of these are at suppliers and third parties. In FY24, 55% of severity 1 and 2 incidents were related to our suppliers and third parties (FY23; 47%). We contractually require our suppliers to report incidents and we track and manage the incidents using the same framework as we do for internal events. In two cases in this financial year, our team helped a supplier recover services after a ransomware attack. Neither of these incidents were material to Vodafone’s business strategy, results of operations or financial condition. When incidents are closed, we complete a post-incident review to learn the lessons from the incident, including the root cause and any improvements needed. Cyber insurance is an important part of our risk management and litigation approach. Vodafone holds cyber liability insurance alongside business interruption and professional indemnity policies. Should a serious cyber event occur, we could recover the costs in whole or in part through these policies. Click to read more about how we manage risks from technology disruptions in our SASB disclosure: investors.vodafone.com/sasb
Powered by FlippingBook