Cyber security
A secure connected future for our customers and society
Vodafone’s purpose is to connect everyone. As a provider of critical national infrastructure and connectivity that is relied upon by millions of customers, we prioritise cyber and information security across everything we do.
Cyber attacks are part of the technology landscape today and will be in the future. All organisations, governments and people are subject to cyber attacks and some will be successful. The telecommunications industry is faced with a unique set of risks as we provide connectivity services and handle communication data.
Our operating model and strategy respond to the challenging cyber threat landscape. We implement controls that are designed to prevent, detect, respond and recover from attacks. By taking this approach we aim to minimise impact to customers and the services we provide.
You can find more information on the work we do in Cyber Security in our Annual Report, and our Cyber Security Factsheet
Our approach to Cyber Security
We have implemented a globally consistent cyber security operating model that is based on the leading industry security standards published by the US National Institute of Standards and Technology (‘NIST’). The model is designed to reduce risk by constantly identifying threats, protecting, defending, responding, and continuously improving security.
We operate cyber capabilities with an in-house international team of over 900 employees. Our scale means we benefit from global collaboration, technology sharing and deep expertise, and ultimately have greater visibility of emerging threats. For example, our global security operations and defence capabilities take inputs and telemetry from all the markets where we operate. We augment our internal capabilities where necessary with third party specialist technical expertise, such as digital forensics and penetration testing, and use specialist resources to perform testing of our telecommunications networks. We work closely with industry peers and governments.
Our Strategy
Our vision is a secure connected future for our customers and society. We are motivated by a clear purpose to inspire customer trust and loyalty through providing sustained cyber security and cyber resiliency, ultimately contributing to a secure society and an inclusive future for all.
Our cyber security strategy and operating model support our vision and goals, and form part of our wider Company strategy. We regularly review and update our strategy based on changes in the internal and external environment. Each year we define and communicate priorities for a three-year period, so all areas of our business are clear on the investment priorities for security.
You can read more about our Cyber Strategy in the Annual Report and Cyber Factsheet.
Our Cyber Code
Every employee has responsibility for cyber security.
The Vodafone Cyber Code has been designed to simplify and explain basic security controls and procedures to all employees. The Cyber Code is embedded in our Code of Conduct and is the foundation of how we expect all employees to behave when it comes to best practice in cyber security. It consists of seven areas where employees must follow good security practice.
Click to read more about Vodafone’s Cyber Code in our Code of conduct.
Risks and Controls
Managing Cyber risk
Risk and threat management are fundamental to maintaining the security of our services across every aspect of our business. The most important risks to the Company are referred to as Principal risks, Cyber risk is a principal risk.
We dedicate cyber security resources to managing cyber security risk, which we separate into three main risk areas: internal, external and supply chain.
We conduct regular reviews of the most significant security risks affecting our business and develop strategies and policies to detect, prevent and respond to them. Our cyber security strategy focuses on minimising the risk of cyber incidents that affect our networks and services. When incidents do occur, we aim to identify the root causes and use them to improve our controls and procedures.
Our Risk and Control Framework
Security controls and procedures define the requirements which allow our security policies to be met. These controls and procedures are designed to prevent, detect, or respond to threats. Most risks and threats are prevented from occurring and we expect most will be detected before they cause harm and need a response.
We have a common global methodology for cyber security risk management. By mapping threats and specific attack techniques to the controls that most significantly reduce risk, this allows gaps to be highlighted.
We have set targets for key controls to be effective, meaning they are well-implemented and cover the relevant systems. New targets are set each year. The control framework evolves based on the threat landscape, technology changes, our strategic and business priorities, and changing regulation.
Assurance
A dedicated assurance team review and validate the effectiveness of our cyber security controls, and our control environment is subject to regular internal audit.
We test the security of mobile network controls each year using a specialist testing company and they also benchmark our security against other telecommunications operators. The aim of this is to provide assurance that telecommunications controls are operating effectively.
We maintain externally audited information security certifications, including ISO 27001, which cover our global technology function and nine local markets. In addition, our markets comply with national information security requirements where applicable. Systems going live and those undergoing change are independently penetration tested. An internal team performs some testing, and we engage third party testers where appropriate. We also perform adversary testing exercises.
As well as monitoring control effectiveness within Vodafone, we oversee the cyber security of our suppliers and third parties.
New Technologies
We adopt new technologies to better serve our customers and gain operational efficiency. For technology programmes we follow our Secure by Design process, evaluating suppliers' hardware and software, modelling threats and understanding the risks before designing, implementing and testing the necessary security controls and procedures.
Mobile Networks
Quantum Computing
Artificial Intelligence
Threats and Incidents
An important part of our operating model is to gather intelligence and insights about threats. We actively engage with stakeholders across industry, with regulators, standard-setting bodies and governments. Collaboration is vital to respond to threats, protect our organisation and workforce, and build safe online and digital spaces for customers and society.
As a global connectivity provider, we see a range of cyber threats. We use our layers of controls to try to identify, block and mitigate threats and reduce business or customer impact. Our global security operations capability handles billions of events and logs from sensors across our footprint, detecting potential threats and events.
We classify security incidents on a scale according to severity, measured by potential business and customer impact. In the event of a cyber breach, disclosure is made to the relevant authorities in line with local and global regulations and laws and a risk assessment considering the impact on customers. We complete post-incident reviews to learn the lessons from incidents and any improvements needed.
Vodafone Portugal (February 2022)
In February 2022, Vodafone Portugal experienced a network outage caused by a deliberate cyber attack that was intended to cause disruption.
Read more…
Report a Vulnerability
We value the expertise and help of the cyber security community in helping us maintain our high security standards. You can use this site to report any suspected security vulnerabilities related to our services or products.