Most small businesses don’t give two hoots about the ‘dark web’, the part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable.
As far as many are concerned, the dark web is a murky place where dodgy criminals congregate to buy and sell things like weapons and drugs. It feels like a world apart from everyday business.
In today’s world, though, that’s a dangerous mindset to have. The truth is that, while criminals have been using the dark web for years to sell illegal items, they’re also using it more and more these days to sell something more valuable — stolen and leaked corporate data.
Today, every business has a wealth of valuable data, whether it’s employees’ personal details, corporate credit cards or sensitive client information. Criminals want to get their hands on that, so they can then sell it on the dark web to make some easy money. And it’s not just the criminals who want your data.
‘Hacktivists’ will happily steal from you and post your data online for free just to win kudos or because they want to damage your company reputation. Ex-employees can copy data to a USB or email it to themselves at home and then either deliberately leak it or suffer a breach themselves. And ‘script kiddies’ run automated scans to find vulnerable websites and servers for easy pickings.
The easiest victims to pick on are the small ones
And it’s not just the big firms who are targets. Small businesses are equally at risk, if not more so because they often lack the cybersecurity resources to deal with the problem. And every industry is equally at risk. The truth is that passwords, corporate credit cards, employee personal details, client information and so on are equally valuable whether they come from a big company or small, in manufacturing or in retail. The opportunistic nature of cybercrime makes the perpetrators blind to industry or size — and once perpetrators get hold of your data, they can wreak havoc with it. With corporate credit cards, criminals can buy what they want. With employee personal details, they can target victims with phishing attacks and fraud, and with client information, they can blackmail you.
Jeremy Hendy, CEO of cyber intelligence solutions company RepKnight, says he sees thousands upon thousands of dark web dumps every day of client login details (yes, with passwords). And most of the organisations to whom the data belongs have no idea these sales are happening because the dark web is, well, hidden. ‘The relatively low risk of getting caught (because the dark web affords strong anonymity) combined with the chance to make a lot of money (or at least show off) makes the dark web an incredibly attractive place for cybercriminals,’ Hendy says.
So, what can we do about it? First, we need to change the way we think about cybersecurity.
Protecting your network is a poor way to protect your data, Hendy says. ‘Protect your network, and your data’s safe, right? Wrong. Protecting your network is a poor way to protect your data.
‘Consider it from a parenting point of view. To protect your children (your data), you can install video cameras to the outside of your house and build a big fence around the perimeter of your property to deter kidnappers from getting in (expensive and complex).
‘But what about those times when your children need to leave your property, which will happen pretty much every day? Once your children have left the safety of the house, your house’s protection is useless.’
The same goes for data, he adds. The nature of modern business dictates that your data no longer lives within the perimeter of your network protection. It has already flown the nest and has scattered into the online stratosphere through email and collaboration with third-party partners and suppliers.
“Even with the strongest network security, you’re still at risk of having a cybercriminal gain access to your network”
Hendy says that RepKnight recently did an audit of its own data and quickly found that there were around 35 partners, systems and places that were storing the data — all outside of its own network. ‘And we’re a small company, so imagine how that’s going to be magnified for larger organisations.’
Once that data leaves your network, its safety is well and truly out of your control. ‘But unlike children, once your data has left your perimeter it is at risk of being duplicated and leaked, so even if you your data does return to the safety of your network, a copy will almost certainly exist elsewhere,’ Hendy says.
Even with the strongest network security, you’re still at risk of having a cybercriminal gain access to your network without your knowledge through the use of ‘compromised credentials’.
‘These kinds of attacks are on the rise because so many people use the same password across various accounts like banking, social media, online shopping and much more.
‘If one of those third parties suffers a breach, chances are they’ve unwittingly handed over the login credentials to your company network, giving criminals the chance to snoop around undetected and steal whatever they want. By the time you find out — which is usually after 450 days after the breach first happened — it’s too late to do anything about it.’
How to combat the threat of the dark web and protect your data
- Change the focus from network protection to data protection — with an acceptance that your data has already ‘left the building’.
- Weigh up your options. For most companies, combatting the threat of the dark web is not something that you can do manually. Not only is it hidden, it’s dangerous (rife with malware and phishing sites — there’s no honour amongst thieves) and horrifying (you’ll see things you wish you could un-see and perhaps earn yourself a surprise visit from law enforcement agencies). The dark web is definitely ‘not safe for work’.
- Consider advanced, automated monitoring software that continuously looks for your data in places where it shouldn’t end up — like dark web marketplaces and bin and dump sites. If the monitoring system finds something it believes to be yours, it should tell you immediately, alerting you to a potential breach you might not even know about yet.
- Be aware that data monitoring is like tracking your children through GPS. If they go missing, you’ll at least be able to see where they end up. So, if you can track your data in this way, you can do something about it when things go wrong. And so, with today’s technology, there’s no reason for the dark web to remain a hidden threat to small businesses.