Known Systems. Hidden Risks. | Episode 5 - Digital Signage, Cyber Security and Protective Security

Why the Industry Needs to Move Beyond “Screens on Walls”

By Luke, Co-Founder & CTO, CMC Consultancy Partnership

Introduction

Digital signage has changed.

What was once a relatively simple arrangement of screens, media players and scheduled content has become a connected technology estate. Modern digital signage may depend on cloud content management systems, remote support tools, user accounts, software updates, local networks, wireless infrastructure, managed service providers, manufacturer platforms and third-party integrations.

That creates opportunity. It also creates risk.

Digital signage can now support brand communication, wayfinding, customer engagement, emergency messaging, venue operations, staff instruction, public information, retail activity, transport movement, education estates, corporate workplaces and major events. In some environments, it may become one of the most visible communication layers in the building.

But visibility cuts both ways.

A screen showing the right information at the right time can reassure, direct and inform. A screen showing the wrong information, at the wrong time, because the system has been compromised or poorly governed, can create confusion, embarrassment, operational disruption and, in some circumstances, genuine safety concerns.

The industry therefore needs to treat digital signage with more maturity.

This is no longer just an AV conversation. It is also an IT, cyber security, operational resilience and protective security conversation.

The screen is only the visible part of the system.

Digital signage is often judged by what people can see: the display size, brightness, mounting detail, image quality, content layout and visual impact.

Those things matter, but they are only the visible part of the system.

Behind the screen there may be:

  • A media player or system-on-chip platform

  • A content management system

  • Administrator and publisher accounts

  • Local or cloud-based storage

  • Remote monitoring tools

  • Remote support access

  • Network switches and VLANs

  • Wi-Fi or wired network connectivity

  • Firewall rules

  • DNS, DHCP and NTP dependencies

  • Firmware and operating system updates

  • APIs and integrations

  • Power and environmental dependencies

  • Physical access risks

  • Supplier and manufacturer support arrangements

If the system is connected, it has an attack surface.

If it relies on cloud services, it has external dependencies.

If users can publish content, it has access-control risks.

If suppliers can remotely support it, it has third-party access risks.

If it is used for emergency or public information, it has operational and safety implications.


A digital signage system is therefore not “just a screen”. It is a connected system that needs to be designed, installed, secured, documented and reviewed accordingly.

The common failure: assuming someone else owns the risk

Many digital signage projects suffer from a fragmented responsibility model, arguably, this is the case for most AV systems.

The manufacturer supplies the product. The distributor supplies the hardware. The installer fits the equipment. The integrator commissions the system. The client’s IT team provides network access. The marketing or communications team controls content. Facilities may own the physical location. Security may only become involved if the system is intended to support public safety or emergency messaging.

Each party has a role. But unless those roles are clearly defined, important assumptions fall between them.

The installer may assume IT has approved the network.

  • IT may assume the integrator has hardened the player to cyber risks.

  • The manufacturer may assume the installer has followed the security guidance, where such guidance exists at all.

  • The client may assume the system is secure because it works.

  • The content team may assume the CMS is being monitored.

  • The facilities team may assume the media player is physically protected.

  • The security team may assume emergency messaging has been tested.

That assumption chain is where risk is created.

When something goes wrong, the result is usually familiar: finger pointing between manufacturer, installer, integrator, IT and client. Is the problem the CMS, the network, the firewall, the player, the Wi-Fi, the content schedule, the firmware, the display, the DNS, the local account, the cloud service or the client’s own process?

Without a clear baseline, nobody knows.

That is why digital signage projects need a more evidence-led approach.

Pre-installation review: the work that prevents avoidable problems

Many installation issues are created before anyone arrives on site.

A project can have the right displays, the right brackets, the right media players and the right content platform, yet still fail because the environment was not properly understood.

A pre-installation review should therefore answer one basic question:

“Can this system be installed, operated and secured properly in this client environment?”

That review does not need to be academic. It needs to be practical.

It should consider network readiness, product suitability, cyber security, physical constraints, operational ownership and supportability.

Network readiness is not optional.

Digital signage needs reliable network access, but that does not mean it should simply be connected to the nearest available port, an unmanaged local switch, or an available Wi-Fi network.

The network position should be understood before installation.

A proper review should consider:

  • Will the system use wired, wireless or mixed connectivity?

  • Is there a dedicated signage VLAN or network segmentation?

  • Is the signage network isolated from sensitive corporate systems?

  • What outbound internet access is required?

  • Are any inbound connections required?

  • Are firewall rules documented and limited?

  • Are DNS, DHCP and NTP available and reliable?

  • Will proxy inspection, SSL inspection or web filtering affect the platform?

  • Is multicast, IPTV, local discovery or streaming required?

  • Are DHCP reservations or static IP addresses needed?

  • Is the available bandwidth adequate for content updates?

  • Are switch ports active, correctly patched and labelled?

  • Is remote support required, and how will it be controlled?

  • Has the client’s IT team approved the architecture?

These questions are not “nice to have”. They prevent wasted engineering time.

Many signage faults are not display faults or software faults. They are network faults, firewall faults, access-control faults, Wi-Fi faults, DHCP faults, DNS faults, proxy faults or undocumented client-environment issues.

If these issues are discovered only when engineers are on site, the project becomes harder, slower and more contentious.

Pre-installation review protects the client, but it also protects the installer and integrator. It creates a shared view of what the system needs before the system is installed.


Cyber security starts with product selection

Cyber security cannot be added at the end of a project.

It begins with product selection.

The UK’s connected product security regime came into effect on 29 April 2024. It applies to relevant consumer connectable products and places duties on manufacturers, importers and distributors. The regime includes minimum security requirements around issues such as default passwords, vulnerability reporting and transparency over security update periods.

Not every professional AV or digital signage product will fall neatly into the same product category. However, the direction of travel is clear: connected devices are expected to be more secure, better documented and better supported.

That expectation should influence how digital signage products are selected.

Before choosing a display platform, media player, CMS or remote management solution, clients and integrators should ask:

  • Does the product use unique credentials or force password change on first use?

  • Are universal default passwords avoided?

  • Is there a vulnerability disclosure process?

  • How long will the product receive security updates?

  • Is that support period stated before purchase?

  • Are firmware updates signed and authenticated?

  • Can updates be centrally managed?

  • Is secure boot supported?

  • Can unused services be disabled?

  • Can USB ports, local inputs and screen menus be restricted?

  • Is remote access disabled unless deliberately enabled?

  • Does the CMS support multi-factor authentication?

  • Does the CMS support role-based access control?

  • Are audit logs available?

  • Can supplier accounts be restricted or time-limited?

  • Is there clear hardening guidance?

  • What is the end-of-life and end-of-support policy?

These are not hostile questions. They are reasonable questions.

Good manufacturers should welcome them.

A product that is suitable for a low-risk internal noticeboard may not be suitable for a major venue, transport environment, public authority building, healthcare estate, corporate headquarters, university campus or public-facing emergency messaging system.

Product selection should reflect the risk profile of the environment.


The Cyber Security and Resilience Bill shows the wider direction of travel

The Cyber Security and Resilience (Network and Information Systems) Bill has not yet received Royal Assent. As at 15 July 2026, the Bill remains before the House of Lords, with the current version listed as HL Bill 32, as brought from the Commons.

It is not a digital signage law.

However, it is relevant because it reflects a broader policy direction. The UK is moving towards stronger cyber resilience, more consistent incident reporting, clearer regulatory oversight and increased attention on the systems and suppliers that organisations rely upon.

The Government’s summary of the Bill describes reform to the existing Network and Information Systems Regulations 2018, including expanded and more timely reporting of harmful cyber-attacks and a stronger framework for regulators. It also refers to obligations for data centres and digital and managed service providers to inform customers where they are likely to have been impacted.

That matters because many modern signage systems rely on exactly this kind of wider dependency chain.

A signage estate may depend on:

  • Cloud hosting

  • Content management platforms

  • Managed service providers

  • Data centres

  • Remote access tools

  • Manufacturer update services

  • Client networks

  • Identity services

  • Internet connectivity

  • Supplier support

  • Third-party APIs

Even if the signage system itself is not the direct target of the legislation, the organisations deploying it may be operating in a world where cyber resilience expectations are increasing.

The point is not to overstate the legal position. The point is to recognise the trend.

Connected systems are increasingly expected to be understood, governed, documented, monitored and maintained throughout their lifecycle.

Digital signage should not be treated as an exception. Current AV guidance is useful, but guidance can lag behind the pace of technology, regulation and real-world deployment risk.

The AV industry has improved its cyber security conversation. Guidance now commonly refers to network segmentation, strong passwords, firmware updates, MFA, physical security and role-based access. AVIXA, for example, has published guidance on digital signage security and networked AV security.

That is positive.

However, there is a danger in treating high-level guidance as a complete project assurance model.

Advice such as “segment the network”, “change default passwords”, “patch regularly” and “use MFA” is valid. But it does not answer the harder project questions:

  • Who owns the signage VLAN?

  • Who approves firewall rules?

  • What destinations and ports are actually required?

  • Who reviews supplier access after handover?

  • Who removes commissioning accounts?

  • Who monitors CMS audit logs?

  • Who confirms whether the player operating system is still supported?

  • Who checks whether the product has reached end of support?

  • Who tests emergency messaging?

  • Who confirms that local inputs and menus are locked?

  • Who verifies whether the system can work if the internet fails?

  • Who owns the risk if the signage is used during an incident?

  • Who documents the final configuration?

  • Who decides whether a residual risk is acceptable?

This is where guidance can become too generic.

It may be accurate, but not sufficiently operational.

The industry needs to move beyond “best practice” as a phrase and towards evidence-based assurance. A checklist is useful only if someone can demonstrate that it has been applied to the real system, in the real environment, with the real client’s risk profile in mind.

Where signage supports safety-critical or operational messaging

Any organisation advising venues in this area should be prepared to say when technology is appropriate, when it is not, and when the client needs planning, training or procedural clarity before procurement.

Digital signage can be valuable, but only when it is integrated into a wider security and operational plan.

The right questions include:

  • What risk is the venue trying to manage?

  • What is the intended operational outcome?

  • Who is authorised to trigger emergency messaging?

  • Can messages be issued quickly?

  • Can messages be targeted by zone, building, floor, entrance or concourse?

  • Are messages pre-approved?

  • Are messages accessible and understandable?

  • Do staff know when and how to use the system?

  • Has the process been exercised?

  • Does signage align with PA/VA, stewarding, control room and emergency services messaging?

  • What happens if the CMS is unavailable?

  • What happens if the internet connection fails?

  • What happens if the signage network is compromised?

  • Could an attacker use the signage system to misdirect people or create panic?

That last question is uncomfortable, but necessary.

If signage is used to support protective security, then the signage system itself becomes part of the protective security environment. It must be trusted.

A compromised marketing screen is embarrassing.

A compromised emergency messaging system could be dangerous.

Network-connected systems need lifecycle governance.

The National Cyber Security Centre’s connected places guidance is aimed primarily at connected places and public realm technology, but the principles are relevant to any environment deploying networked systems that interact with physical spaces, public services or operational infrastructure. The guidance emphasises designing, building and managing connected places so they are more resilient to cyber-attack and easier to manage.

The National Protective Security Authority also warns that network-connected security technologies create risks throughout the product lifecycle, including supply chain, deployment, use and eventual secure destruction.

Digital signage is not always a security technology. But where it supports public information, emergency communication, venue operation or protective security, it sits close to that world.

The system therefore needs lifecycle governance.

That means:

  • Asset records

  • Product support periods

  • Firmware and software update processes

  • Account governance

  • Supplier access management

  • Network documentation

  • Firewall rule review

  • Physical access control

  • Backup and recovery arrangements

  • Incident response procedures

  • Monitoring and alerting

  • Periodic review

  • End-of-life planning

  • Secure decommissioning

A system that was secure on handover can become insecure over time.

Passwords get shared. Supplier accounts remain active. Firmware is not updated. Operating systems reach the end of support. Players are moved. Screens are repurposed. Firewall rules are changed. Documentation is lost. Staff leave. The CMS gains new users. Temporary access becomes permanent.

Security drift is normal unless it is actively managed.

That is why post-installation assurance matters.

Post-installation assurance: proving the system is suitable, secure and supportable

A digital signage project should not be considered complete simply because content appears on screen, perhaps not even after the installer/ integrator has finished.

Working content is not the same as a secure, resilient and supportable system.

A post-installation assurance review should check whether the system has been installed and configured in line with the agreed design, whether operational requirements have been met, and whether cyber and support gaps remain.

This review should be practical and evidence led.

It should consider:

Operational performance

  • Are all screens online?

  • Are all players reporting correctly?

  • Is the correct content displaying?

  • Are schedules operating as intended?

  • Are clocks and time zones correct?

  • Are content updates completing?

  • Is offline playback working where required?

  • Are monitoring alerts configured?

  • Can faults be seen by the right people?

  • Does the client understand the content workflow?

  • Has the user handover been completed?

  • Are known limitations documented?

Network and connectivity

  • Are devices connected to the correct VLAN or network segment?

  • Are IP addresses, DHCP reservations or naming conventions documented?

  • Are firewall rules limited to what is required?

  • Are DNS and NTP working reliably?

  • Is remote support configured securely?

  • Are unused ports disabled where appropriate?

  • Is Wi-Fi security suitable if wireless is used?

  • Is the network design consistent with the agreed architecture?

Cyber security

  • Have default credentials been changed?

  • Is MFA enabled where supported?

  • Are shared accounts avoided?

  • Are roles separated between administrators and content publishers?

  • Are supplier accounts controlled?

  • Are firmware and software versions recorded?

  • Are operating systems still supported?

  • Are unnecessary services disabled where possible?

  • Are logs available and reviewed?

  • Are USB ports and local inputs controlled?

  • Are display menus locked where appropriate?

  • Are remote access tools approved and documented?

  • Is there a vulnerability reporting route for the platform?

  • Is there a process for applying security updates?

Physical security

  • Can media players be accessed by the public?

  • Are network ports exposed?

  • Are USB or HDMI inputs exposed?

  • Are players secured in enclosures where appropriate?

  • Are cables protected?

  • Can a remote control change inputs or settings?

  • Are screens mounted securely?

  • Are tamper risks understood?

Protective security use cases

Where signage is intended to support public safety, emergency messaging, venue operations or incident response, additional questions should be asked.:

  • Which screens are included in emergency messaging?

  • Can messages be targeted by location?

  • Who is authorised to issue emergency messages?

  • Are templates prepared and approved?

  • Are staff trained?

  • Has the process been exercised?

  • Does signage messaging align with other communication channels?

  • Can the system operate during network or internet failure?

  • Are audit logs available showing who published what and when?

  • Are emergency messaging functions protected from unauthorised access?

This is not about creating paperwork for its own sake.

It is about establishing a clear baseline.

If a system is later questioned, the parties should be able to identify what was installed, how it was configured, what was tested, what risks were accepted, and who owns each part of the operational model.

That protects everyone.


Documentation is not bureaucracy; it is evidence

Poor documentation is one of the most common causes of post-installation disputes.

Without documentation, every problem becomes harder to resolve – more fingers are pointed throughout the implementation of the project.

An evidence pack should include:

  • Asset list

  • Screen and player locations

  • Serial numbers where appropriate

  • CMS tenant details

  • Account structure

  • Firmware and software versions

  • IP addressing or DHCP reservation summary

  • VLAN and firewall rule summary

  • Remote access arrangements

  • Support contacts

  • Manufacturer support position

  • Known limitations

  • Residual risks

  • Photographs where useful

  • Handover notes

  • Recommended remediation actions

This does not need to be unnecessarily complex. It needs to be usable.

The purpose is to avoid argument later.

If the client says the system is not working, the first question should not be “who is to blame?” It should be “what does the baseline show?”


Artificial intelligence is useful, but it is not authority

There is another issue worth acknowledging.

Many people now use AI tools to gather intelligence on legislation, standards, technology and compliance. That is understandable. Used properly, AI can help identify topics, structure thinking, summarise concepts and suggest questions.

But AI-generated research is not an authority.

Legislation changes. Bills move through Parliament. Guidance is updated. Standards are revised. Regulators issue new documents. Implementation dates change. Secondary legislation may alter the practical position. A confident answer can still be wrong if it is not checked.

That is particularly important in areas involving product security, cyber resilience, protective security, public safety and emerging regulation.

Any serious article, proposal, specification or client recommendation should therefore distinguish between:

  • Law

  • Draft legislation

  • Statutory guidance

  • Non-statutory guidance

  • Industry practice

  • Manufacturer documentation

  • Professional opinion

  • Assumption

That distinction is part of professional integrity.

Readers should be encouraged to verify primary sources, especially where legal or regulatory duties are being discussed.

Useful sources include GOV.UK, UK Parliament, legislation.gov.uk, NCSC, NPSA, ProtectUK, SIA, OPSS, ETSI, relevant standards bodies, manufacturer security documentation and the client’s own IT and cyber policies.


A more mature delivery model

The standard should be higher.

Before installation, the environment should be reviewed.

During installation, the agreed design should be implemented and recorded.

After installation, the system should be tested, documented, secured and periodically reviewed.

This protects the client.

It protects the manufacturer.

It protects the installer.

It protects the integrator.

It protects the venue.

Most importantly, it protects the integrity of the work and the safety of all people.

Digital signage remains one of the most effective communication tools available to modern organisations. It can inform, direct, reassure, promote, warn and support operations in real time.

But when it is connected, it must be treated as a connected system.

When it supports public information, it must be reliable.

When it supports emergency messaging, it must be trusted and consistent.

When it depends on suppliers, those dependencies must be understood and limited where appropriate.

When it connects to a network, the cyber position must be considered.

When it is handed over, the evidence should be clear and documented.

The industry does not need to make this more complicated than it is. It needs to make it more disciplined.

Conclusion

There is a place for independent review in this model.

Not to replace manufacturers.

Not to undermine installers.

Not to second-guess integrators for the sake of it.

And not to turn every project into a consultancy exercise.

The value is in helping all parties work from the same evidence base.

A sensible independent review can check whether the environment is ready before installation, whether the design has been implemented as intended, and whether the completed system is operationally suitable, cyber-aware and supportable after handover.

That is the thinking behind CMC’s approach to digital signage assurance.

It is intentionally practical: review the environment, reduce avoidable installation issues, document the system, identify gaps, and help prevent the familiar blame cycle between client, manufacturer, installer and integrator.

That is not about selling compliance.

It is about raising the standard of delivery.

Next
Next

Known Systems. Hidden Risks. | Episode 4 - Cyber Frameworks: The Rules That Already Apply to Your Network