Intercast September 2025 – The Value of Cybersecurity

Welcome to the September 2024 edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed.

In This Issue

  • Client Insight: Communicating Value
  • Making The Most Of Training Techniques
  • FAA Wants Tougher Airplane Cybersecurity
  • Pro Cyclists Could Be Hit By Cyber Sabotage
  • Ransomware Attacks Now Mostly Come At Night
  • Healthcare Cybersecurity Act A Step Closer
  • Best of the Rest

Client Insight

Each month we ask our clients what’s on their mind to find out more about what’s important in the industry. This month we’ve had several conversations about how we communicate the value of cybersecurity. It brought to mind one of the most important and easily overlooked rules of talking tech: It’s not about the technology!

To put that another way, technology such as cybersecurity doesn’t have any value in itself. Instead, the value it brings is all in the outcome. That could be as simple as generating revenue or cutting costs, but most of the time it’s about freeing up staff to concentrate on doing their job and using their skills.

As an industry, we need to talk less about what we do and how we do it, and more about the difference it makes. For example, many businesses won’t be impressed by figures of how many attacks you intercepted and even a stat about improved uptime might not catch their eye. Reframe it by saying how much staff time you saved by keeping networks online and now you’re talking their language.


Making The Most Of Training Techniques

This month we particularly enjoyed an article by Phil Venables on 10 essential techniques for security training and awareness. It’s not about specific exercises but rather the different ways we can teach and learn about security, concentrating particularly on what each method is designed to achieve.

For example, he notes that simply telling people about security controls is not sufficient: the message really sticks when you explain the purpose of the controls. We particularly liked the approach of highlighting when another business was hit by a security breach and using this as a way to thank staff for playing their part in avoiding a similar outcome.

The article is also great on recognizing the human element. Venables points out that simply asking if anyone has any concerns risks somebody keeping quiet because they are uncomfortable “speaking out.”  Instead he suggests copying the approach of flight crew where every member is asked individually to confirm that they are happy to go ahead with a project or procedure.


FAA Wants Tougher Airplane Cybersecurity

The FAA has proposed new cybersecurity rules for planes. It’s nothing to do with in-flight customer WiFi but rather the planes themselves.

As airplane components become increasingly connected to networks for monitoring and maintenance, combating cyber threats gets more complicated. Until now the FAA has coped by issuing “special conditions”, a series of case-by-case regulations for each new situation. That’s now become so complex that it’s driving up the cost of certification.

Now the agency plans to bring them together into a single set of clearer rules. They’ll put a particular emphasis on making sure key components such as engines and propellers are fully protected from cyber threats. They also want to be sure pilots could continue safely operating planes even during a cyber attack.


Pro Cyclists Could Be Hit By Cyber Sabotage

 

Competitive cycling might not seem an obvious arena for cyber threats but increasing tech use could bring a new form of dirty tricks.

Computer scientists from University of California San Diego and Northeastern University say they’ve found several major vulnerabilities with popular wireless gear-shifting technology. That’s a system that reduces the risk of riders being slowed by physical problems in purely mechanical systems.

The vulnerabilities include attackers being able to record and retransmit wireless commands without authentication. A popular communication protocol used in wireless gear-shifting leaks data, meaning crews could gain insights into the tactics of rivals. It’s also possible to remotely disable or compromise gear shifting on specific bikes without affecting others in the vicinity.

They’ll be publishing countermeasures and mitigations for the vulnerabilities. They also warn its naïve to think cycling teams wouldn’t try to exploit such issues given the sport’s colorful history of nefarious tactics.


Ransomware Attacks Now Mostly Come At Night

 

The majority of ransomware attacks now take place between 1am and 5am in the victim’s time zone according to Malwarebytes. It’s a pattern with a simple explanation: that’s when businesses are least likely to have dedicated security staff monitoring and responding to threats.

The figures are the logical development of an established pattern where attacks often take place on the weekend before a public holiday to aim for the longest possible time before detection. (Physical bank and jewelry store robberies have often followed a similar schedule.)

The tactic is particularly effective now that the complete ransomware process from initial breach to encryption has evolved from a matter of weeks to a matter of hours. Perhaps unsurprisingly Malwarebytes argues it proves the value of automated real-time monitoring and response systems that don’t rely on human supervision.


Healthcare Cybersecurity Act A Step Closer

 

A Senate committee has backed a bill to improve cybersecurity in healthcare, though it’s far from certain it will make it into law.

The proposed Healthcare Cybersecurity Act would require more collaboration across the industry and better coordination between US security and health agencies. It would also authorize better resources for non-federal agencies.

The main argument for the bill is that although healthcare in the US is heavily based on private business, healthcare facilities are effectively a key part of the nation’s infrastructure. The bill enjoys bipartisan support. One of the backers of the bill, Jacky Rosen, describes herself as the only former computer programmer to serve in the Senate.

The bill is going through the legislative process in both houses and has passed an initial committee stage in the Senate. However, it’s something of a race against time for both houses to agree and pass a final bill before the uncertainty of November’s elections.


Best of the Rest

Here’s our round up of what else you need to know: