Intercast June 2025 – Successful Cyber Risk Programs

Welcome to the June 2024 edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed.


In This Issue:

  • Client Insight: Gartner Highlights
  • AI Scandals Harming Trust In Tech
  • FBI Ran Its Own Phone Network To Breach Cybercriminals’ Security
  • SEC Issues $10 Million Fine For Slow Breach Disclosure
  • Best Of The Rest

Client Insight

Client Insight: Intercast attended Gartner’s Security and Risk Management Summit this month and came away educated with a few key learnings:

Successful Cyber Risk Programs Are:

  • Dynamic/Distributed/Defensible/Data Driven/Decision Enablement
  • An Augmented Cybersecurity Organization is:
  • Fault Tolerant/Has a Minimum Effective Toolset/Creates a Resilient Cyber Workforce
  • CISO Effectiveness Depends On:
  • Setting boundaries/prioritizing professional Development/Executive 
  • Collaboration/Succession Planning

To learn more, see: https://www.gartner.com/en/articles/highlights-from-gartner-security-risk-management-summit-2024

https://emt.gartnerweb.com/ngw/eventassets/attendees-navigator/executive-summary/sec30[…]ua-_-Email-_-LM_ATCM_NA_2024_SEC30_BB_Post2_Attended-_-0000 


AI Scandals Harming Trust In Tech

It’s been a bad month for privacy in the world of AI and it’s threatening to undermine trust in all forms of technology, including our own cybersecurity world.

At the lesser end of the scale, Meta has begun using Facebook and Instagram posts to train its AI. That’s not quite so bad as it’s using publicly posted content and users in some countries can object under privacy laws. 

More seriously, Slack users have been shocked to discover even their “private” messages could be fed into AI training models. While the company has openly said it doesn’t use customer data to train its AI, critics note its privacy rules and terms & conditions do allow it to do so, including with messages.

And it’s not just the little people. ChatGPT maker OpenAI used a simulated voice remarkably similar to that of Scarlett Johansson despite having asked the actress for permission to use her voice and being firmly turned down.

The problem with such cases is that it makes people sceptical about all uses of AI. That could be a big deal in cybersecurity where many believe it could be a real force for good.


FBI Ran Its Own Phone Network To Breach Cybercriminals’ Security

It’s hardly a secret that the FBI uses some creative cybersecurity approaches to try to gather evidence. But it’s likely new to most people that the agency set up and operated its own phone company.

Joseph Cox has written a book revealing the incredible true story of the FBI’s “Anom” network. Agents were frustrated at the difficulty into breaking into encrypted phone services used by criminals.

They eventually concluded it would be easier to simply set up and market an encrypted phone network aimed at people who wanted to communicate in complete privacy for nefarious purposes. The unadvertised twist was that the FBI had direct access to the messages in decrypted form.

As The Verge explains, the tactic worked extremely well. The problem was that operating a growing phone network, complete with demands such as scaling technology and customer service, eventually became too much for the FBI to handle.


SEC Issues $10 Million Fine For Slow Breach Disclosure

The SEC’s has fined a company $10 million for not reporting a cybersecurity breach quickly enough after becoming aware of the incident. It’s a sign that businesses really do need to take breach notification rules seriously.

While data privacy laws are arguably weaker in the US than in many countries, things are different for publicly traded companies when it comes to breach notifications. The SEC rule is based on the idea that suffering a data breach could significantly affect a company’s value and so investors have the right to know as soon as possible.

Ironically, the company facing the penalty is Intercontinental Exchange. It operates the technology behind several financial markets including the New York Stock Exchange.

The $10 million fine came under the previous incarnation of the SEC rules. They were changed last summer to include a strict time limit of four working days. Previously the rules simply said companies had to be “prompt” with no defined time period.


Best of the Rest

 

Here’s our round up of what else you need to know: