(By By Chris Reczek and Frank McCoy) Most broadcast managers come from backgrounds in programming, sales, finance or law. Traffic and billing systems, email, document storage, program automation and web functions are mostly thought of as utilities. You turn on the tap and expect water to come out. These systems have streamlined our industry allowing us to shave expense, reduce headcount and improve the product. Yes, most of us experience occasional glitches but they’re generally infrequent and without significant revenue impact. A call to the help desk generally sets things right.
Meanwhile, we have moved more and more of our enterprise infrastructure to the public internet. Gone are the expensive leased telephone company circuits that connect studio and transmitter. The internet provides the connection. Orders, scheduling, billing, receivables management, the program log and the programming we air, all are dependent on machines with proven vulnerabilities, all connected directly or indirectly to that same internet. Streaming and web presences are inherently internet-centric.
Recent highly disruptive events at several publicly traded radio companies have exposed risks that managers need to try to understand and plan for. It turns out that the internet might be a more dangerous place than it first appeared. We authors have no illusions that we can make you IT security experts in a few pages. Instead we will try to demystify some of the plumbing behind that water tap you turn on, expecting clear, clean water. If nothing else, we hope to arm you with the questions you should ask of your IT professionals and the kinds of answers you should expect. Every manager weighs risk and return as a core responsibility. This now includes possible business disruption because of information technology vulnerabilities.
Knowing more is always an advantage. As a starting point, invite your IT person(s) to put what they administer on a whiteboard. A basic diagram should show the places and key functions the business relies on. It should show connections between these and identify what service connects them. In particular, look for places where connections that should be private pass through the public internet.
We suspect you are now envisioning a painful hour of geek-speak filled with lots of letters and acronyms that are meaningless to the uninitiated. But this is your meeting. Don’t permit the incomprehensible. Set a rule of no acronyms. Expect your techies to know the names of things and how they do what they do. If you are looking for an immediate benefit, keep in mind that technical departments can become stratified and divided into responsibility silos just like any other organization. Presentations like this expose disconnected staffs. Be the auditor who comes into an unfamiliar environment and asks questions, looking to understand the flow of work, the decisional processes and logic that underpins them. Auditors in this discipline should also be looking for the individual who tries to know more than he/she actually knows. Albert Einstein is reputed to have said that any physics that can’t be explained to a twelve year old probably isn’t true. By that metric, being able to explain the overall workings of the enterprise IT plumbing you, as manager depend on and are responsible for, should be a fundamental requirement. It shouldn’t take an Einstein to understand.
What you can expect to see and hear
Most publicly traded radio companies have adopted a centralized architecture for IT functions used across the company. There are economies of scale that go with putting all the IT functions in a single place. Centralizing reduces the need for IT employees in every market. Report generation across units and regions is easier when the sales and revenue data for every station is rolled up into a single database, just waiting to be mined for trends and opportunities. These are the plusses. The negative is vulnerability. A successful attack on core financial engine functions can do more than impair revenue and reporting. It can damage client relationships when billing becomes inaccurate or scheduling doesn’t meet expectations. Clients often communicate with Account Execs via email so a failure of that service can feel to our customers like they are being ignored.
Back in the day, radio market units ran an assortment of software products, often legacy systems from the days before market consolidation. The staff understood them. They functioned adequately. There seemed little reason to change until universal data connectivity across the internet became a reality. Now consolidated groups, publicly traded or not, usually operate a single software product for traffic and billing. The traffic director job has historically seen turnover so having many others trained on the same product made sense. But for all the advantages, centralization and standardization represent a vulnerability. If any part of the business is ripe for a hostage taking, it’s traffic.
How does this happen?
So how might that happen? Ransomware is the buzzword lately, what with several companies hit by this kind of attack. Compromise of personal data like credit card numbers and the like are also regularly in the news. Keystroke loggers can collect passwords as you type them. All are common malware “payloads” often launched well after the initial compromise attack which may go unnoticed. For these adverse outcomes to manifest requires that one or more computers in your world have become compromised, typically through some sort of social engineering. It’s not generally a “look over your shoulder and copy your password.”. It’ll be an email that looks like it’s from your boss with a subject like “How could we let this happen?” and an email attachment. Our job commitment and diligence are leveraged to harm us.
Still, when you attempt to open the email attachment, a warning pops up. Enable editing it wants to know? Enable content? Say yes and you are infected. You may not know right away as this episode has just opened a portal allowing evildoers access to your machine. The process becomes even cleverer once inside, mining your email archive and address book for additional targets. Much of this is covered in email safety training videos. Some IT departments even send bait emails to users and send those who take the bait back for another training video. All this largely ignores the fact that we equip our employees with laptops they take home with them and connect to whatever home internet connection they have. So the very best perimeter security at the office doesn’t help at all when that infected laptop comes back and reconnects at the AE’s desk.
Don’t think it’s because your data is particularly valuable or, as a target, your station(s) are especially appealing or seen as vulnerable. Only about 2% of victims actually pay so to make the process profitable requires millions of victims.
A more insidious (and more sophisticated) class of attacks has come from, ironically, the development of security testing software. The tools used to assess network hardness have leaked out into the wild and have been used to corrupt the very password authentication systems we rely on. If you want to be genuinely frightened, just watch any of the Black Hat conferences. They’re on YouTube. And it’s not just things with a keyboard and screen anymore. That phone on your desk is really a computer with a handset. Your printer is really just a computer with ink or toner. They have all been proved vulnerable.
With so much simply beyond your reasonable control, it becomes important to identify what can be economically protected, what can’t be and what might not need protecting at all. The decisions are similar to those considered when you buy other forms of insurance. The same questions apply; What would a loss look like? What would be the economic impact? What would the reputational impact be? How much is reasonable to spend on hardware and staff to avert a bad event? Will the strategy work? And in case you were wondering, yes, there are private insurers who will sell coverage for just such a disruption. Premium pricing might provide a guide to what insurance actuaries believe the risk is.
Some suggestions
So the first suggestion, implemented already by some groups, is to get out of the business of hosting an email system internally. The big providers like Microsoft and Google are just better equipped to fend off trouble than a corporate (or local) IT department can be. I’m not shilling for big tech but it says something when the Institute of Electrical and Electronic Engineers (IEEE) – perhaps the preeminent technical society on the planet – moved their ieee.org email to Google.
At least ransomware and the other flavors of malware aren’t magic software that can jump from place to place without human help. They can only access and damage the files that are accessible under the access rights held by the login that “runs” them. Yeah, we warned you about geek speak. But think of this; when you log into your desktop computer, the files and folders you see are your own along with others shared across the market unit or enterprise. No one else can erase files that belong to you – or at least that’s how it should be. Shared files on shared drives and in shared folders can be similarly restricted. Only the author (or those he/she grants permission to) can erase them. How does this help? Ransomware encrypts files then completely erases the originals. No ability to erase means no lost data beyond that belonging to the person whose machine is infected.
This leads to the second suggestion; files in shared folders or shared directories should be set up so only the author may erase or change them. Others may read and if editing is required, save a new version. The same rights limitations should be employed across every machine possible. Yes, this will add to the required disk space. So what? Storage is cheap these days whether on a machine you manage or in the cloud.
By now you may be seeing a theme – containment of damage. We think hacks are probably unavoidable and building the perfect impenetrable perimeter wall will be both expensive and probably ultimately ineffective. The authors of malware have all the time in the world and have devoted their lives to successfully stealing at a distance. Trolling for victims is an automated process like spam, freeing these evildoers to develop new ways to hack. Our response will always be reactive, not proactive. Winning the arms race with hackers will consume more resources than it protects. The foregoing should provide some feeling for how the sales and G&A teams can be protected and provide some framework for conversation.
The financial tools we use represent a more significant concern. At the market level, consider putting two computers in front of traffic staffers – one with regular office connectivity, email, web browsing, word processing, etc. and the other exclusively traffic and related software. Following the theme of containment, given the sensitivity of traffic and billing, it would be wise to put that universe on an isolated network of its own. An infected traffic machine that sets about encrypting essential data is a nightmare waiting to happen. The good news is that traffic and billing systems are databases. The core information store usually lives on a server somewhere else. Interactions are transactional. “Here, database, you will need this information” followed by “Thank you. This appears correct. Here is my reply that you, market traffic machine, will need.” This should create barriers between markets at least. If this isn’t the case, call your traffic software vendor. Still, given the modest expense of additional computers, this seems like cheap insurance. Most traffic systems store some data locally and this would be at risk. One last caveat about traffic and billing: direct AE access for order entry – in particular what parts of the traffic system are exposed when an AE creates or modifies an order – should be understood completely. That AE laptop has been who-knows-where from a security perspective and is now about to connect to the enterprise bread and butter.
Since interaction between traffic software and program automation software is essential to smooth operation, you might as well consider putting the automation system into the same limited access (the term of art is “air-gapped”) environment. Many of the popular automation software packages are averse to security measures anyway. The software needs to run with full rights to erase files on any other automation machine. Better to keep that vulnerability in a sandbox of its own, too. For automated affidavits requiring internet connection, work with your vendor to create a separate machine that does this with otherwise limited connectivity. If your vendor doesn’t have a strategy like this, ask why. Both these software categories also require access when a support tech “remotes in” to perform upgrades or troubleshoot. Provide this connection only when needed.
Lock the doors
Finally, don’t overlook physical security of the network equipment. Installing everything in an unlocked closet forfeits quite a lot of security. Commercial datacenters employ strong access control for a reason. At the market level there’s probably no call for a retinal scan security system but the gear should be at least as well locked off as the prize closet.
Not everything in our world needs the same level of protection either. We in the radio business create a product that we give away to listeners. We try in as many ways as possible to make our content available to them. So powerhouse firewall fences around everything are perhaps something of a waste.
Food for thought and discussion
These suggestions are intended to be conversation starters. You may be pleasantly surprised at the extent to which your IT team has already taken steps like these to limit risk exposure. Knowing your people are on the case means you’ll sleep better at night. Consider regular outside vulnerability audits – so called “penetration tests.”
But these steps are insurance, essentially. Like other forms of insurance, be sure the cost of the premium is in line with the value of the possible losses. Much as an automobile dealer might, park the most valuable cars inside at night. Yes, the internet will continue to be a vector for attack. Yes we’ll probably see the occasional hit, most times because of human error which is a given in life. But careful design of working network environment to contain trouble, driven by an understanding of the business operation fundamentals (this is where you come in) will limit risk, damage and disruption while keeping capital expense in line.
Chris Reczek is a cyber security professional in the Chicagoland area with over 20 years of experience in security operations and strategy. He has a degree in telecommunications and holds numerous cyber security certifications.
Frank McCoy is a multi-decade veteran of the radio industry in technical, technical management, and ownership roles. He holds an undergraduate degree in Electrical Engineering and has held various IT certifications along the way.
