By Steven J.J. Weisman
BOSTON — Radio and television stations are prime targets for hackers with a myriad of different motivations. Some hackers may simply be looking to hack your station’s websites and computers to temporarily take control of these media to embarrass the station or make a political statement. Other more profitably inclined criminals are hacking into your computers to trick station employees into downloading ransomware, threatening to destroy your data if you do not pay a ransom. Still others, motivated by identity theft, are seeking to steal information including W-2s and other personal information for purposes of identity theft, including income tax identity theft. Finally, some radio and television stations will be targeted by hackers seeking to gain access to your station’s bank accounts or to lure the stations into paying phony invoices.
Data security is a problem not just for big businesses, but small businesses as well. According to a study by security software company Symantec, 36% of all targeted attacks recently have been made against businesses with fewer than 250 employees. This problem is made worse by the fact that according to the National Cyber Security Alliance, 83% of small businesses have no formal cyber security plan and 69% have no plan at all. This makes small businesses the low-hanging fruit for scam artists (the only criminal we refer to as artists) who can steal your data from anywhere in the world.
Although rogue employees are a problem with which every radio and television station should deal, the problem of hacking by cybercriminals from outside the station is often an even bigger problem. A litany of major data breaches suffered by private companies such as Sony and governmental agencies such as the Office of Management and Budget (OMB) can be traced to sophisticated malware downloaded on to the targeted company’s computers through a technique called “spear phishing.” The sophisticated malware used by hackers to surreptitiously gather and steal personal information from your computers is only half the story because before that malware can be used, it has to somehow be installed on the targeted victim’s computers and the way this is done is through “spear phishing.” We are all familiar with the term phishing which describes emails and text messages sent with links that if clicked upon will download malware. Most people are sufficiently sophisticated to be able to avoid phishing emails that come addressed to “Dear Customer” or appear to come from a company with which we do not do business. But specifically tailored phishing emails containing personal information gathered from a range of sources including public data bases, hacked email accounts or even our own social media can be written in a manner to appear much more legitimate and lure even sophisticated employees into clicking on malware infected links. And don’t think that your security software will help you, because even if you have kept your security software up to date with the latest security patches, your security software will always be at least a month behind the latest strains of malware.
But it is not as bad as you think. It is far worse because among the serious repercussions you face if your radio or television station does not have a good data security program in place including, most importantly, training of employees to recognize and avoid spear phishing, is increasing FCC actions against companies that it determines are not taking the proper steps to protect their data. Last year, the FCC started focusing on enforcement actions against companies for not safeguarding personal information. Three actions were brought by the FCC’s Enforcement Bureau levying approximately $30 million in fines against companies with insufficient data security programs. Last year’s $595,000 settlement with Cox Communications was the first of what we can expect to be many more where the FCC brought charges against a company that was a hacking victim. In this case, like so many others, the data breach was traced back to spear phishing.
So what can you do and what should you do? The list is too lengthy to enumerate in a column, but the steps are doable and at a reasonable cost, however, primary among the steps that should be taken is training the “weakest link” in company data security, your employees to recognize and avoid spear phishing.
Steven J.J. Weisman is a practicing attorney, legal editor for TALKERS magazine, a professor of Media Law at Bentley University in Waltham, Massachusetts and publisher of the website www.scamicide.com. He can be e-mailed at: firstname.lastname@example.org. Steven J.J. Weisman is available as a guest to discuss legal matters and the subjects of identity theft and scams. He is also available to conduct private corporate seminars at radio stations and groups to advise broadcasters on taking preventative measures to protect against the problems outlined in this column. Meet Steve Weisman at TALKERS 2016: Bridging the Generations on Friday, May 20 at Hofstra University.