2024 Cyber Security Factsheet

8

Culture, training and awareness

Vodafone Group Plc Cyber Security Factsheet 2024

Introduction

Strategy

Risk management

Our operating model

Threats and incidents Compliance

Culture, training & awareness Training and awareness

We also provided focused training for our Executive Committee. This year, we covered social engineering threats, use of social media, travel to high-risk countries, using devices securely and how to share confidential information safely. The training materials were cascaded to their teams by ExCo members. We have continued to undertake incident simulations for local executive committees, most recently for Greece. The simulations provide CEOs and their teams a realistic and tailored experience of managing a cyber incident and exercising their responsibilities in accordance with our common approach. Growing our skills We enable employees in our cyber teams to maintain and grow their skills to better protect our customers. Our company learning platform hosts cyber training on technical topics, platforms and frameworks. Employees can study towards recognised information security and cyber certifications aligned to their learning plans. Since 2020 we have organised twice yearly cyber connect events for our entire global cyber security team. The events include a recap of our strategy and achievements, messages from senior leadership, external industry speakers, collaborative breakout groups and technical track sessions to learn about cyber topics and best practice. We use technology to enable a hybrid experience with some attending in offices and some remote. The Cyber Code The Vodafone Cyber Code has been designed to simplify and explain basic security controls and procedures to all employees. The Cyber Code is embedded in our Code of Conduct and is the cornerstone of how we expect all employees to behave when it comes to best practice in cyber security. It consists of seven areas where employees must follow good security practice.

Our Cyber Code The Vodafone Cyber Code has been designed to simplify and explain the basic security controls to all employees. Embedded in our Code of Conduct, the Cyber Code is the cornerstone of how we expect all employees to behave when It comes to best practise in cyber security.

Our cyber security awareness approach is to educate our employees to protect themselves and our customers from cyber threats. Cyber security training is mandatory as part of our Doing What’s Right programme. The training module is designed by the cyber security team to inform employees of key threats and how to avoid them. The cyber leadership team are actively involved in shaping the approach and in specific employee communication. The corporate security function lead on all employee security training and they deliver the programme and materials. Mandatory training runs every other year with a short refresher and knowledge check in the intermediate year. If the knowledge check is failed, the employees are required to retake the full cyber security training module. During the year we launched a training manual for contractors, so they also receive the same level of awareness. Training on cyber security is also included in our induction process for new employees. We track completion rates to ensure every employee completes mandatory training when assigned. Click to read more about our approach to mandatory Doing What’s Right training on page 44 of our FY24 Annual Report: vodafone.com/ar2024 Cyber security training is reinforced by regular digital communications delivered via our internal social media platform, through videos and webinars. We respond to threats with specific targeted advice, such as the use of multi-factor authentication and reminders to not share credentials. We perform phishing simulations across all markets and functions to raise awareness and train employees. We target at least two exercises per market or function per year. We also run multi-market simulations to allow us to compare responses consistently – in the most recent exercise we sent over 100,000 1 emails to nine 1 European markets and Group functions. Those who click on the link in the phishing message or share their credentials receive immediate training. We are now rolling out this multi-market approach to our African markets.

ALWAYS use multi-factor authentication for remote systems that hold sensitive information. NEVER allow unsupported end of life systems in Vodafone infrastructure, or release unsecured products or services. ALWAYS apply the latest security patches, close critical and high vulnerabilities and configure systems securely. NEVER click on links or download without knowing who it is from. Report suspicious behaviour. ALWAYS remove access when staff change roles or leave Vodafone. Secure privileged access and only use it for privileged tasks. NEVER share or reuse your passwords. Longer is stronger. ALWAYS classify, label and protect information you work with.

Click to read more about Vodafone’s Cyber Code in our Code of Conduct: vodafone.com/code-of-conduct

Note: 1. Includes Vodafone Italy and Vodafone Spain.

Powered by