3
Culture, training and awareness
Vodafone Group Plc Cyber Security Factsheet 2024
Introduction
Strategy
Risk management
Our operating model
Threats and incidents Compliance
Strategy continued
New technologies and industry collaboration We adopt new technologies to better serve our customers and gain operational efficiency. For every technology programme, new or existing, we follow our Secure by Design process, evaluating suppliers’ hardware and software, modelling threats and understanding the risks before designing, implementing and testing the necessary security controls and procedures. Mobile networks Every new mobile network generation has brought increased performance and capability, along with new opportunities in security. As we deploy 5G core networks alongside our 5G radio networks, often described as 5G Standalone, we have updated our security standards to implement the latest 5G features in our core networks. We also test security in our radio networks using independent third-party testing companies. OpenRAN is a new way of building and managing radio access network (‘RAN’) components within telecommunication infrastructure. Instead of purchasing all the components from one supplier, we use hardware and software components from multiple vendors and integrate these via open interfaces. Over time, this will create a more competitive landscape for telecommunications equipment. We continue to collaborate with other players in the OpenRAN ecosystem to improve security. This includes adding requirements to the OpenRAN specification, publishing internal security standards, and benchmarking vendors against these. The first OpenRAN sites are now live in the UK, Romania and DRC.
Artificial Intelligence We take the responsible use of AI seriously and seek to balance the opportunities and risks associated with AI, and more recently generative AI (‘Gen AI’). Teams from across the business are collaborating under the governance of a global AI governance board which agrees policy, mitigates threats, identifies and selects use cases for implementation. We are experimenting with public and private Large Language Models (‘LLMs’) to support a range of potential business cases. To date, two private versions of models have been reviewed and approved though our Secure by Design process. To reduce the risks of misuse, we limit access to specific public LLMs. We have developed an awareness programme and updated our guidance and policies to make it clear to our employees what data must not be shared in a public AI model. Click to read more about AI governance on page 46 of our FY24 Annual Report: vodafone.com/ar2024 We have defined requirements for internal LLM application development including risk assessment, designing for transparency, lack of bias and providing the right degree of human oversight of results. If the AI model could have a high impact on people, we require a human to have input on the final decision. We are also investigating the use of AI to augment our cyber security processes. The first proof of concept is a cyber security chatbot which can answer employee questions on cyber policies and standards. We are also
part of cross-industry forums which collaborate on telcommunication- specific AI use cases, including threat detection, investigation and response. Quantum computing We are preparing for a time when quantum computing is available at scale. Through our joint research with IBM, we have developed a risk-based approach to mitigate the risks of existing cryptography, which could be more easily broken by a quantum computer. We are identifying potential quantum vulnerabilities, defining supplier requirements and developing the ability to update our cryptography when new threats emerge. Vodafone also co-chairs the telecommunications industry-wide task force on this issue. Industry collaboration We actively engage with stakeholders across industry, with regulators, standard-setting bodies and governments. Collaboration is vital to respond to threats, protect our organisation and workforce, and build safe online and digital spaces for customers and society. We use our expertise and experience to engage with a wide range of organisations to help improve the understanding of cyber security thinking and practice, and contribute to public policy, technical standards, information sharing, risk assessment, and governance. For example, we have engaged in cross-industry collaboration through the European Round Table, where we chair the CISO committee. We have an appointed member on the National Cyber Advisory Board in the UK. We also collaborate with other telecommunication companies, and actively engage in security standards working groups such as ENISA 5G Cyber Security Certification, O-RAN Alliance Security Focus Group and GSMA Fraud and Security Group.
Spectrum
Our networks
RAN equipment
Open RAN equipment
Technology centres
Mobile core and fixed networks
Radio base stations
Fixed and transport infrastructure
Wireless devices
Homes
Offices and data centres
Powered by FlippingBook