Vodafone 2025 Annual Report

48 Vodafone Group Plc Annual Report 2025

Strategic report

Governance

Financials

Other information

Our approach continued

Cyber security Strategy Our cyber security strategy Our vision is a secure connected future for our customers and society. We are motivated by a clear purpose to inspire customer trust and loyalty through providing sustained cyber security, ultimately contributing to a secure society and an inclusive future for all. Our cyber security strategy and operating model support our vision and goals, and form part of our wider Company strategy. Our strategy is based on core principles, including: – Act as an enabler for the business; – Be proactive, risk and threat-led, supported by data-driven decisions, automation and digitalisation; – Build and assure security in all products and services; and – Simplify architecture though partnership with key suppliers. In the past year we have been redeveloping the strategy based on changes in the internal and external environment. This takes account of future threats and changes in technology so it remains fit for purpose over the next five years and beyond. The updated strategy consists of five main areas: Dynamic Trust, Identity and Insider. Through robust tooling and processes, we aim to make sure the right people can access the right information at the right time. Proactive Health and Real-time Response. The next generation of our detection and response capability, using advanced analytics and automation to expand our capabilities. Cyber Health and Adaptive Risk Method (‘CHARM’). We provide a view of our security risk which adapts to change and is quantified to make better risk decisions.

Securing Networks, Products & Services. New technologies are harnessed securely and products and solutions are designed with security in mind. We enable secure connectivity through an end-to-end operating model for telecoms security. Supplier and Society Ecosystem. We embed and seek to drive good security practice across our suppliers. We partner and collaborate widely to achieve good security outcomes for our customers and society. Each year we define and communicate priorities for a three-year period, so all areas of our business are clear on the investment priorities for security. We track progress against these priorities throughout the year. Year ahead We have started work on five transformations aligned with the updated strategy. These include: – Design and development of a new security operations platform; – Further strengthening multi-factor authentication; – Enhancing end-to-end security of our telecommunications networks; – Transforming how we manage the security of our third parties; and – Implementation of CHARM. Alongside these priorities, we continue to focus on security control improvement, efficiency and automation. Click to read our cyber security factsheet: investors.vodafone.com/cyber Find out more Click to listen to our experts summarise our approach to cyber security: investors.vodafone.com/videos

New technologies and industry collaboration We adopt new technologies to better serve our customers and gain operational efficiency. For every technology programme we follow our Secure by Design process, evaluating suppliers’ hardware and software, modelling threats and understanding the risks before designing, implementing and testing the necessary security controls and procedures. Mobile networks Every new mobile network generation has brought increased performance and capability, along with new opportunities in security. As we deploy 5G core networks alongside our 5G radio networks, often described as 5G Standalone, we have updated our security standards to implement the latest 5G features in our core networks. We also test security in our radio networks using independent third-party testing companies. Open RAN is a new way of building and managing radio access network (‘RAN’) components within telecommunication infrastructure. Instead of purchasing all the components from one supplier, we use hardware and software components from multiple vendors and integrate these via open interfaces. Over time, this will create a more competitive landscape for telecommunications equipment. We continue to collaborate with other players in the Open RAN ecosystem to improve security. This includes adding requirements to the Open RAN specification, publishing internal security standards, and benchmarking vendors against these. The first Open RAN sites are now live in the UK and Romania. Quantum computing We are preparing for a time when quantum computers able to break certain cryptography are available at scale. Through our joint research with IBM, we have developed a risk-based approach to mitigate the risks of existing cryptography. We are identifying where we are using cryptography that is potentially vulnerable to attack from quantum

computers, defining supplier requirements and developing the ability to update our cryptography when new threats emerge. We have set up a long-term Quantum Safe programme, and plan to pilot migration activities in the next year in collaboration with IBM and telecom vendors. Vodafone co-chairs the telecommunications industry-wide task force on this issue. Artificial intelligence (‘AI’) We take the responsible use of AI seriously and seek to balance the opportunities and security risks associated with AI. Security teams from across the business are collaborating under the governance of a global responsible AI committee which agrees policy, mitigates threats, identifies and selects use cases for implementation. Read more about AI governance on page 47 To deliver secure and responsible AI, we integrate secure AI lifecycle practice, requirements and tools into strategic AI platforms and internally developed AI applications. To reduce the risks of misuse, we limit access to public AI applications. We have developed an awareness programme and updated our policies to make it clear to our employees what data must not be shared with public AI applications. We have defined requirements for internal AI application development including risk assessment, designing for transparency, lack of bias and providing the right degree of human oversight of results. If the AI model could have a high impact on people, we require a human to have input on the final decision. We are also experimenting with AI to augment our cyber security processes. The first application is a chatbot which can answer employee questions on cyber policies and standards. We are also engaged in cross-industry forums that collaborate on telecommunication-specific AI use cases, including threat detection, investigation and response.