4
Culture, training and awareness
Vodafone Group Plc Cyber Security Factsheet 2024
Introduction
Strategy
Risk management
Our operating model
Threats and incidents
Compliance
Risk management
Identification of vulnerabilities and risks Cyber attacks are part of the technology landscape today and will be in the future. All organisations, governments and people will be subject to cyber attacks and some will be successful, leading to security incidents. The telecommunications industry is faced with a unique set of risks as we provide connectivity services and handle private communication data. As a result, cyber security is one of Vodafone’s principal risks. A successful cyber attack could cause serious harm to the Company or its customers, including unavailability of services or a data breach leading to disclosure or misuse of customer personal data. The consequences could include, but are not limited to, exposure to contractual liability, litigation, regulatory action, or damage to the company’s reputation and brand and loss of market share. In the worst case, the cyber security incident could cause material financial impact to the Company. There is increasing regulatory focus on cyber security and requirements for telecommunications providers to improve their cyber security practices. The Company is subject to GDPR and equivalent legislation in many countries in which it operates. In addition, there are cyber focused local laws and regulations, for example in the UK with the Telecoms Security Act. A cyber incident may therefore lead to regulatory fines and other enforcement activities if deemed to be due to inadequate security. Measures to meet these laws and regulations will also result in increased compliance costs. We dedicate significant resources to reducing cyber security risks, however due to the nature of the threats, we cannot provide absolute security and some cyber security incidents will occur.
Risk and threat management are fundamental to maintaining the security of our services across every aspect of our business. We separate cyber security risk into three main areas of risk: – External: A wide variety of attackers, including criminals and statebacked groups, target our networks, systems and people using a range of techniques and procedures. They seek to gain unauthorised access to steal or manipulate data or disrupt our services. – Insider: Our employees may accidentally leak information or maliciously misuse their privileges to steal confidential data or to cause disruption; and – Supply chain: We only have indirect control over the cyber security of third-party service providers, limiting our ability to defend against cyber threats to these third parties. Such attacks, if successful, could cause services to be unavailable or enable a data breach to occur. To help us identify and manage emerging and evolving risks, we constantly evaluate and challenge our business strategy, new technologies, government policies and regulation, and cyber threats. We conduct regular reviews of the most significant security risks affecting our business and develop strategies and policies to detect, prevent and respond to them. Our cyber security strategy focuses on minimising the risk of cyber incidents that affect our networks and services. When incidents do occur, we identify the root causes and use them to improve our controls and procedures.
Cyber security risk is aligned with Vodafone’s enterprise risk framework. Each principal risk owner is responsible to produce a formal Line of Sight document twice a year that describes the risk, the Company’s risk tolerance, current position, control position and actions to move to tolerance if required. Second and third line assurance supporting the report is also included in the Line of Sight document.
Hackers can exploit a wider attack surface than ever before
Powered by FlippingBook