Our approach to cyber security
Our Purpose is to enable connectivity in society and as a provider of critical national infrastructure, we recognise the importance of cyber and information security. No organisation, government or person will ever be fully immune to cyber-attacks and the telecommunications industry is faced with a unique set of risks as we provide connectivity services and handle private communication data.
Our networks connect millions of people, homes, businesses and things to each other and the internet. The security of our networks, systems and customers is a top priority and a fundamental part of our company Purpose. Our customers use Vodafone products and services because of our next-generation connectivity, but also because they trust that their information is secure.
We have implemented an operating model based on the leading industry security standards published by the US Department of Commerce, specifically the National Institute of Standards and Technology. We have an international team of over 800 employees who are focused on constantly monitoring, protecting and defending our systems and our customers’ data.
We also work with third party experts and consultants, to maintain specialist skills and continue to follow leading practice. Our scale means we benefit from global collaboration, technology sharing, deep expertise and ultimately have greater visibility of emerging threats. Although the Cyber team leads on detect, respond and recover, preventative and protective controls are embedded across all our technology and throughout the entire business.
Vodafone Cyber Code
Every employee has responsibility for cyber security and must follow the Vodafone Cyber Code, be sensitive to threats and report suspicious activity. Embedded in our Code of Conduct, the Cyber Code is the cornerstone of how we expect all employees to behave when it comes to best practice in cyber security. It consists of seven areas where employees need to follow security good practice.
Read more on Vodafone’s Cyber Code on page 20 of our Code of Conduct.
How we manage cyber security risks
Managing cyber security risks and threats is fundamental to maintaining the security of our services across every aspect of our business.
To help us identify and manage emerging and evolving risks, we constantly evaluate and challenge our business strategy, new technologies, government policies and regulation, and cyber threats. We conduct regular reviews of the most significant security risks affecting our business and develop strategies to detect, prevent and respond to them. Our cyber security approach focuses on minimising the risk of cyber incidents that affect our networks and services.
Understanding the threat landscape is key to managing cyber risk. Over the course of 2020, two of the biggest cyber security threats faced by all organisations significantly increased – phishing and ransomware attacks. Cyber criminals exploited the emotion and uncertainty associated with the pandemic to deceive users into engaging with malicious emails or pay a sum of money to regain access to systems. Cyber criminals also increasingly targeted smaller suppliers to large organisations as a way to more easily compromise their targets. Organisations across all industries also continued to experience other forms of threats, such as sophisticated espionage attempts and the exploitation of unpatched vulnerabilities.
The Group’s Chief Technology Officer is the Executive Committee member responsible for managing the risks associated with cyber threats and information security. The Vodafone Cyber Security Director is responsible for managing and overseeing the cyber security programme on a day-to-day basis and reports to the Chief Technology Officer.
Cyber threats and information security are a major area of focus for the Audit and Risk Committee and detailed updates including threat landscape, risk position and security programme progress are provided at least twice a year. The Board is also regularly updated on cyber security matters.
What security controls we have in place
Controls can prevent, detect or respond to risks. Most risks and threats are prevented from occurring or will be detected before they cause harm and need a response. A small minority will need recovery actions.
We use a common global framework called the Cyber Security Baseline and it is mandatory across the entire Group. The baseline includes key security controls which significantly reduce cyber security risk, by preventing, detecting or responding to events and attacks. Our framework was initially developed based on an international standard mapped to our key risks in the way that provides the most comprehensive protection. Each year, we review the framework in the light of changing threats and create new or enhanced controls to counter these threats.
A dedicated assurance team reviews and validates the effectiveness of our security controls, and our control environment is subject to regular internal audit. The security of our global networks is also independently tested every year to assure we are maintaining the highest standards and our controls are operating effectively. We maintain independently audited information security certifications, including ISO 27001, which cover our global technology function and 15 local markets. We comply with local requirements or certifications and actively contribute to consultations and debates with regard to laws and regulations that aim to improve and assure the security of communications networks.
We adopt new technologies to better serve our customers and gain operational efficiency. For every technology programme, new or existing, we follow our Secure by Design process, evaluating suppliers' hardware and software, modelling threats and understanding the risks before designing and implementing the necessary security controls and testing them.
Every new mobile network generation has brought increased performance and capability, along with new opportunities in security. 5G improves existing security, with additional protection against threats such as location tracking, call or message interception and modification of network traffic. Similarly, 5G includes enhanced features to protect signalling between different operators' networks, which helps prevent tracking or interception while roaming. Vodafone is working at pace to embed these new security features into our 5G network deployments.
Getting the right security by design across all operators is vital as 5G and other mobile technologies will connect billions of devices. Vodafone has helped establish the GSMA IoT Security Guidelines, and the accompanying self-assessment scheme. Where we work with partners or third parties to build and deploy IoT solutions, we also advocate the approach co-developed between Vodafone and Consumers International, as seen in their publication of the Consumer IoT Trust by Design Guidelines.
We also track and monitor potential future threats to our networks, systems and customers, such as quantum computing and its effect on encryption. While such a risk is not specific to Vodafone, we have started work to address the potential negative effects and maintain a robust level of encryption that is quantum safe within our network and systems.
As a global connectivity provider, we are subject to cyber threats, the vast majority of which are identified, blocked or mitigated by our robust control environment without any impact. Where a security event occurs, we have a consistent incident management framework and an experienced team to manage our response. The focus of our incident responders is always fast risk mitigation and customer security.
We actively engage with stakeholders, including academic institutions, industry, and government, in order to protect Vodafone, respond to cyber threats and work together to share best practice. Given our expertise and extensive experience, we also engage with a wide range of organisations to help improve the understanding of cyber security thinking and practice, and contribute to public policy, technical standards, information sharing and analysis, risk assessment, and governance.
Incident Case Study
In December 2020, ho.Mobile suffered a data breach and part of a database holding customer data was accessed by a third-party; no financial information, passwords, or mobile traffic data