2024 Cyber Security Factsheet

Culture, training and awareness

Vodafone Group Plc Cyber Security Factsheet 2024

Introduction

Strategy

Risk management

Our operating model

Threats and incidents Compliance

Strategy

Our cyber security strategy Our vision is a secure connected future for our customers and society. We are motivated by a clear purpose to inspire customer trust and loyalty by providing sustained cyber security, ultimately contributing to a secure society and an inclusive future for all. Our cyber security strategy and operating model support our vision and goals, and form part of our wider Company strategy. Each year we refresh our cyber security strategy and every five years redevelop the cyber security strategy based on changes in the internal and external environment. Our strategy is based on core principles, including: – Act as an enabler for the business; – Be proactive, risk and threat-led, supported by data-driven decisions, automation and digitalisation; – Build and assure security in all products and services; and – Simplify architecture though partnership with key suppliers. To implement these principles, our strategy is delivered through six pillars of change: Control evolution: Maintain and improve our security controls and procedures beyond the existing cyber security baseline with an adaptive and risk-based framework. Secure by design: All products and services have security built-in whether we build them ourselves or buy them from vendors. Dynamic trust: Strong zero-trust security based on dynamic risk-based access that is frictionless for users, for example, multi-factor authentication and moving away from passwords. Real-time data, real-time response: The next generation of our detection and response capability, more automated and based on advanced analytics. Spirit of Vodafone & cyber culture: The next generation of our detection and response capability, more automated and based on advanced analytics. Security for society: Collaborate widely to encourage standardisation, share intelligence, and engage on regulation. Each year we define and communicate priorities for a three-year period, so all areas of our business are clear on the investment priorities for security. We track progress against these priorities throughout the year.

Strategic pillars

Cyber security products & services for our customers We provide cyber security support to our customers through Vodafone Consumer and Vodafone Business. For Consumers, we offer our Secure Net service to help keep them and their families safe. Secure Net detects and protects against online malware, infections and viruses, provides smart alerts if a customers’ identity is compromised, and provides parents with advanced parental controls. At the end of March 2024, Secure Net was available to mobile customers in 7 markets and converged customers in 4 markets and had nearly 8 million subscribers. Where Consumers subscribe to additional security products, such as Secure Net, there are also significant NPS benefits. We also provide cyber security support to our business customers through Vodafone Business. Our products and services help our business customers of all sizes protect themselves from the evolving cyber security threat landscape and adapt to a new model of security necessitated by the adoption of hybrid working. Our portfolio of cyber security solutions for businesses is available in 16 markets and has nearly 1 million users. Our products and services leverage our global network and partnerships, such as those with Accenture, Lookout, Trend Micro, and VMWare, to make enterprise-grade security services accessible to organisations of any size. For SOHO and SME customers our focus is on click-to-buy services covering endpoint and network security, as well as risk assessments and cyber training. In the coming year, we are expanding our comprehensive portfolio to include backup, secure connectivity and external risk protection services. For mid-market business customers, we offer a range of professional and managed services that provide support across the full spectrum of an organisation’s cyber security needs – assessing risk with vulnerability assessments; penetration testing and cyber exposure diagnostics; protecting the organisation with firewall management and phishing awareness campaigns; through to full scale managed detection and response, and breach response and forensics services. For larger and multinational organisations, Vodafone Business offers a range of network, endpoint and managed security solutions to enhance mobile and fixed portfolios in this segment. Click to read more about our strategic partnerships on page 11 of our FY24 Annual Report: vodafone.com/ar2024

Dynamic Trust

Security & Privacy by design

Real time data, real-time response

Security & Privacy for Society

Security & Privacy Control evolution

Spirit of Vodafone & cyber culture

Year ahead The priorities for the coming year include updating and redeveloping our cyber security strategy in line with future technology changes and expected threats. This strategy will position us to manage changes in technology, threats and the external environment. Key priorities for the year include: – Design and development of a new security operations platform; – Further strengthening of identity, access control and authentication; – End-to-end security of our telecommunications networks, transforming how we manage the security of our third parties; and – New adaptive cyber risk methodology. Alongside these shifts, we continue to focus on security control improvement, efficiency and automation, including automation of key risk indicators that provide data driven measurement of our security position.