Cyber Security Factsheet

Vodafone Group Plc Cyber Security Factsheet 2023

Introduction

Strategy

Governance

Risk management

Events

Risk management

Identification of vulnerabilities and risks Cyber security is one of Vodafone’s principal risks. We understand that if not managed effectively, there could be major customer, financial, reputation, stakeholder or regulatory impacts. Risk and threat management are fundamental to maintaining the security of our services across every aspect of our business. We separate cyber security risk into three main areas of risk: – External: Attackers and criminals targeting our systems, networks, or people to conduct malicious attacks; – Insider: Accidental leakage of information or malicious misuse of access privileges by our employees; and – Supply chain: A supplier is breached or used as a conduit to gain access to our systems, data or people. To help us identify and manage emerging and evolving risks, we constantly evaluate and challenge our business strategy, new technologies, government policies and regulation, and cyber threats. We conduct regular reviews of the most significant security risks affecting our business and develop strategies and policies to detect, prevent and respond to them. Our cyber security strategy focuses on minimising the risk of cyber incidents that affect our networks and services. When incidents do occur, we identify the root causes and use them to improve our controls. Threat landscape As part of our risk framework, we gather intelligence on threats. The cyber threat landscape continues to be volatile across all sectors, with wide-ranging threat actors. This year, we continued to see an increase in cyber espionage and more sophisticated hacktivist activity following continued geopolitical instability. The ongoing war in Ukraine has remained a significant influence, with threat groups exploiting edge devices such as firewalls, routers and email servers. An emerging trend of ‘hybrid’ attacks (involving physical and digital security) has been reported by multiple organisations. Examples include the targeting of retail stores by cyber-criminal groups with the motive to perform account takeovers, SIM-swapping and credential harvesting. More generally, we are seeing attackers targeting users’ credentials as the main enabling method of compromising systems. Ransomware continues to be a significant threat to all organisations. We are aware of at least one ransomware threat actor group that has impacted multiple sectors for financial gain. One of our suppliers was impacted by this incident, and whilst there was no direct impact on Vodafone and no customer data was accessed, this was a clear example of the increasing threat within our supply chain.

During the coming financial year, we are developing a new framework we call ‘Cyber Adaptive Risk Management’ (‘CARM’). This framework will calculate residual risk based on specific threat scenarios, control effectiveness and the potential impact of incidents. We will continue to track the existing controls until this model is implemented in April 2024. Supply chain As well as monitoring control effectiveness within Vodafone, we oversee the cyber security of our suppliers and third parties with a dedicated team. At supplier onboarding, security requirements are written into contracts, and we determine the inherent risk of the supplier based on the service they are providing. We then assess their controls to understand the residual risk, which informs the frequency of review. We follow up on open actions and ensure security incidents are tracked and managed.

Hackers can attack any point of your supply chain

Hackers can exploit a wider attack surface than ever before

Our threat intelligence team use industry and external analysis to help shape our controls and drive actions. When we identify specific near-term threats, we respond with ‘Threat Action Groups’ who take fast mitigating action to avoid incident or risk impact, in a similar manner to how we respond to incidents. Risk and control framework Controls can prevent, detect or respond to risks. Most risks and threats are prevented from occurring and most will be detected before they cause harm and need a response. A small minority will need recovery actions. We use a common global framework called the Cyber Security Baseline and it is mandatory across the entire Group. The baseline is based on an international standard and includes key security controls which significantly reduce cyber security risk by preventing, detecting or responding to events and attacks. We have effectiveness targets for the key controls that are monitored and reported to senior management for each market every month. The framework is regularly reviewed and new controls or new targets identified each year.

Assurance A dedicated assurance team reviews and validates the effectiveness of our security controls, and our control environment is subject to regular internal audit. The security of our mobile networks is also independently tested and benchmarked versus other telecommunications operators every year to assure we are maintaining the highest standards and our controls are operating effectively. We maintain independently audited information security certifications, including ISO 27001, which cover our global technology function and 15 local markets. In addition, our markets comply with national information security requirements where applicable. All systems going live and those undergoing change are independently penetration tested and we complete approximately 1,000 penetration tests across Vodafone every year. We also perform adversary testing exercises using so-called ’red teams’ and will continue to expand our capability in this area in future years. Read more about our identification of cyber threat as a principal risk on page 53 of our FY23 Annual Report