Whether you’re a national, regional, local or community radio station, cyber security should always be kept on the agenda. Devices can go missing, pet names get used for passwords, programs get installed that shouldn’t and, with the rise of scammers, suspect links and attachments in emails to invoice redirection and outright theft, there’s always something to consider.
Each year, for the entire month of October in Europe, hundreds of activities around cyber security take place from conferences to workshops, training to webinars and more. It’s all driven by the European Union Agency for Cybersecurity (ENISA) which runs an annual campaign dedicated to promoting cybersecurity among EU citizens and organisations, along with providing up-to-date online security information through awareness-raising activities and the sharing of good practices.
It sounds like a mouthful, and you can read more about it here, but in essence, it’s a month-long effort to aid the understanding and importance of cyber security for the world we live in today.
For radio stations, it’s paramount. Think of your internal setup – from remote staff to in-house workers, reception through to sales and commercial departments, news and sports programming to production and advertising. You may be running internal file stores, having countless connected machines from desktop computers to CCTV, your on-air playout system to your online streaming service. You’ve got full-time staff, part-time staff, contractors, swing jocks, cover reporters, work experience students and more – and that might be just on any given day.
Then think of your external setup as the analogue world has shifted to digital. You might have one transmission site, or you might have a dozen. They could be all interconnected, all networked. You’ve got primary links, backup links, AOIP connections, SIP connections and a plethora of hardware and software from many different providers that all have a key job to do in keeping the show on the road.
While you may not be able to bridge every gap or plan for every scenario, there are some simple things you can do to help improve cyber security hygiene for your radio station. And yes, these tips could be adapted and applied to businesses in all walks of life, but I’m focusing on the radio side of things for the minute.
Plenty of variables in a connected world, which could mean plenty of opportunities for would-be cyber attackers. So from safeguarding sensitive data to ensuring uninterrupted broadcasts, here are ten quality cyber security tips that you could implement immediately to bolster your radio station’s defences and protect your assets.
10 simple cyber security tips for radio stations (and other businesses)
1. Implement robust firewalls
Every radio station’s IT infrastructure should be shielded by robust firewalls. These act as the first line of defence against external threats, filtering out malicious traffic and preventing unauthorised access. That’s literally what firewalls do – provide a layer of protection from the outside world. Typically a single firewall setup will sit between your internal network and your external connection to the internet.
All manner of rules and configurations can be implemented to restrict traffic from outside sources, and limit requests to resources from inside (e.g. blocking certain websites or categories of online content). Whether you’re managing a firewall yourself or you’ve engaged the services of a third-party IT or security firm, you should ensure that your firewall hardware and software settings are regularly updated and reviewed.
2. Secure data storage
Radio stations handle a plethora of data and information every single day, from listener contacts and queries to commercial contracts and big finance deals, to sensitive employee information and more. It’s vital to store this data securely. Where you can, opt for encrypted storage solutions and consider using cloud services that offer advanced security features and regular backups. Always ask yourself the question – if I lost this data in the morning, how much would it impact my ongoing operations? If the answer is anything more than ‘not at all’, you need to consider your data storage options.
3. Regularly update software
In April 2014, Windows XP reached end of life. The extended support for Windows 7 beyond the end of life was reached in January 2023. Windows 10 will reach its end of life in October 2025. Yet there are core systems in radio stations around the world that are still running on dated, unsupported and no longer updated operating systems or running outdated software.
If you dig deep enough, you may even find it as a requirement of your insurance that you’re required to be running on updated versions of particular software. In the case of Microsoft, regular updates are pushed for Windows 10 and Windows 11 and, while sometimes they introduce headaches when done in the background, they’re provided for a reason – especially OS security upgrades.
The bottom line, keep essential software up-to-date and in line with your provider’s schedule for updates. Where you’re using other third-party software whether for remote access, scheduling, traffic and advertising, playout or the management of other key hardware and infrastructure, keep up with patch notes from vendors and apply updates regularly.
4. Establish a strong password policy
This one’s a simple one and can be applied to any walk of life. There are two areas jumping off the page immediately for this – one is with users logging on to an internal network (also picked up in my next point) and the other is for email and social media.
A strong password policy can be put in place by domain administrators (assuming your internal network uses a domain) while policies can also be set for Microsoft 365 / Google Workplace accounts for accessing email and other associated online services. For example, please don’t let someone’s password be ‘password’ or ‘abc123’. Consider a strong password policy, that can be enforced, encouraging longer, more cryptic options.
Tools like 1Password will provide password generators, LastPass too have an online option available here. If you’re only as strong as your weakest link, and that link is your password, it’s an easy one to improve. Equally, if you’re not already using MFA (multi-factor authentication for cloud accounts, remote studio access, email etc) then that’s a move you should be considering.If you’re a Microsoft 365 user, you may have already seen warnings coming about transitioning users from old 2FA methods to authentication apps, or doubling up with a password and an authentication app for additional layers of security.
5. Limit network access with defined roles for domain users
This is possibly more of an internal matter than an external matter but if you’ve got all desktops in your radio station on your primary network, and let’s say those desktops have access to shared files, running orders, contact details, show logs and more, that’s a lot of information you’re leaving up for grabs.
If you don’t have something in place already, consider a separate area, machine or network setup for program preparation that may allow access to the web in general, social media tools or printers. However, a better conversation starts with your network administrator in defining user roles and requirements for those accessing your network. Programming staff shouldn’t need access to commercial shares, your commercial staff shouldn’t need access to technical shares etc.
Users could be segmented into groups (a news pool, a music pool) with access rights to certain areas of your network restricted based on their role. If everyone has the keys to the castle, who’s really minding the castle?
6. Encrypt sensitive devices
Do you have a laptop or network-connected device heading to an outside broadcast? Have a phone passed around the studio as ‘the social phone’? If you’ve got portable devices heading out into the wilds – and that includes station-issued mobile handsets or other IP devices – make sure that there’s a strong level of security in place.
For Windows-based laptops, look at Bitlocker encryption, for Mac-based options look at enabling FileVault. For mobile phones, you should at the very least have SIM and device logins enabled, whether by PIN, patterns or biometrics (Face ID, fingerprint). Got social accounts running on devices? Consider implementing 2FA/MFA or adding app-specific passwords (a useful feature on Android handsets) to provide an additional layer of security.
7. Personal device (BYOD) policies
When it comes to personal devices, my recommendation would be that they stay off-network (or get segmented network access i.e. guest access) and they shouldn’t be used for any station-related work including mails, socials or otherwise.
If staff or contributors need to work on their own devices for any reason, then you need to consider a BYOD or Bring Your Own Device policy. This would determine how staff, contractors and other users can use their own laptops, smartphones or other personal devices on the company network if they need to access network-stored data to perform their job duties.
Essentially your radio station owns the data, but you don’t own the devices that are being used to access it. Options on device management, allowing apps to run in a separate partition or profile on a device can be looked at but running a BYOD policy can bring challenges. You may have to offer and provide support for devices that you’re allowing into your network, you have to be able to ensure compliance with policies and procedures (including legal), and you’ve still got to ensure your data is protected.
The great unknown when it comes to network security is still the human element. How many times have we heard phone-ins on talk shows discussing bank accounts being emptied, credit cards being charged, and identities being stolen because someone clicked a link in an email?
Remember the Sony hack in 2014? It might necessitate you inserting warning messages to emails internally on delivery, cautioning staff on opening links and attachments. It may necessitate training days, webinars, or regular briefings or, as with my last point below, engaging with cybersecurity experts to help inform and educate staff.
Come across something in the news worth sharing with your team? The last thing you’ll want is one of your own team ending up on your morning talk show about how they’ve been scammed or had their Facebook account hacked because they clicked something they shouldn’t have, let alone the greater impact that could pose to your station.
9. Regular backups
Nightly, daily, incremental or whole snapshots, the choice is yours. If your radio station was hacked, flooded, struck by lightning or burned to the ground in the morning, could you survive with the loss of data? Or what if someone had clicked a link in a spurious email or opened an attachment they shouldn’t have and suddenly you find you’ve been locked out of vital systems? Imagine your playout was rendered unusable, could you spin it up in the cloud? Or if the building was fine but someone happened to gain entry to your network and delete everything overnight, have you backups in place?
Don’t leave it to chance though, and when you are making backups, try to have them backed up to somewhere other than the machine you’re taking them from. Redundancy counts for a lot.
10. Collaborate with cybersecurity experts
You can’t know everything and can’t be expected to know everything, that’s why IT contractors and cybersecurity experts exist. If you’re already working with a third-party provider, turn the conversation from reactive to proactive and open a dialogue about your cyber security options. Talk to them about auditing your radio station’s network and assess weak points, be they hardware, software or human. There’s no silver bullet
A final word & additional reading
If you fear you’ve been a victim of a cybercrime or data theft, you should report the incident to your local Garda station and may need to contact the Data Protection Commission.