The information a hacker needs to access your company’s IT network — including your financial accounts and/or those of your customers — could very likely be for sale on the Dark Web right now. Here’s how to find out whether that’s happening, and what you should do about it.
Let’s start by de-mystifying “the Dark Web.”
What is the Dark Web?
The Dark Web is a sublayer of the internet that isn’t visible to standard web browsers such as Google and Bing. Cyber criminals use the Dark Web to sell stolen data, including credentials (such as user IDs and passwords) that unlock your business’s IT network and financial accounts.
The anonymous nature of the Dark Web makes a magnet for illegal activity. But it’s used for legal activities, too. You can find chatrooms, games, email, Facebook-like social media platforms, and other places where you may legitimately wish to keep your identity private.
Journalists, law enforcement officials, and others use the Dark Web to protect sources and exchange sensitive information securely.
But far more of the Dark Web consists of sites devoted to crime, including data theft aimed at company IT networks. Typical Dark Web hubs of criminal activity include:
- Hacker community forums and chatrooms where cyber thieves trade tools and methods used to steal data, and to report software vulnerabilities
- Data auction sites
- Peer-to-peer file sharing programs or networks for exchanging stolen data
- Command-and-control servers that harvest data through malware and botnets
WARNING: This VPNoverview report on typical Dark Web data theft sites WILL scare you.
If you want to scare the heck out of yourself, read this report from VPNoverview on typical Dark Web data theft sites, including the standard cost for specific compromised data such as PayPal transfers, bank cards, full identities, stock tips, and more.
What Makes the Dark Web “Dark?”
Unlike the regular web, a.k.a. The “surface web,” Dark Web isn’t indexed by standard search engines such as Google.
Every machine that accesses the surface web has a unique IP (Internet Protocol) address that’s registered to a specific user, and kept in a central index that’s something like an immense phone book.
For example, let’s say you use your PC to enter “Minneapolis plumbers” into Google. That search is routed through a number of web servers to return a list of local plumbers to your PC.
Anyone with the basic know-how to track your search could do it easily, and see the IP addresses of your machine and all the web servers that routed your search.
On the Dark Web, however, the users — and the servers that host a universe of encrypted networks — are anonymous. The Dark Web can still be searched, but the search can’t be tracked easily, if at all.
Also, Dark Web users generally use cryptocurrency like Bitcoin for purchases, which can make these transactions difficult or impossible to trace.
What Type of Company Data Can Wind Up on the Dark Web?
The most potentially damaging types of data that may be harvested from your company for sale on the Dark Web include:
- Online account credentials, including the user ID and password for email, banking, and third-party services such as PayPal, DropBox, Mailchimp, etc.
- Network credentials, e.g. user ID and password for your business’s IT network access, including administrative accounts that really give hackers the keys to your kingdom.
- Customer data, including identity (name, address, phone, Social Security, social media accounts, etc.), credit card, bank account and routing numbers, and more.
- Employee data such as your HR records, 401(k) and bank account information, and everything listed above under “customer data.”
- Proprietary information your company’s competitors or other bad actors might profit from by copying or compromising your products/services.
- Vulnerabilities that hackers have already discovered in your IT network, but may not have exploited yet.
What’s the Most Common Way for Criminals to Harvest the Type of Company Data That is Sold on the Dark Web?
Any type of data breach can result in your firm’s data landing on the Dark Web, including those caused by:
- Outdated and/or unpatched software
- Malware (often installed via phishing emails)
- Insider fraud
- Loss or theft of a company device
- Human error, including weak passwords
One of the most common ways your data can be breached is when employees login to third-party providers.
For example, when your employees use their work email on websites like those shown below, they’re at risk of having these emails and passwords exposed in a data breach, or actually used to create a data breach. (This list was compiled by ID Agent — more about them below.)
9 Ways Your Employees’ Work Credentials Can Lead to a Breach
HR and Payroll
Microsoft Office 365
Customer Relationship Management (CRM)
Banking and Finance
Bank of America
What is Dark Web Monitoring?
Can you monitor the Dark Web’s stolen data markets yourself for data tied to your firm? I DO NOT recommend doing it yourself. The hacker communities know how to detect amateur detectives — and how to make them pay an even higher price for poking around.
Instead, work with a firm that specializes in Dark Web monitoring for SMBs, such as ID Agent.
ID Agent can do an initial Dark Web search for data from your company, such as compromised company email addresses and passwords, and then update you whenever new comprises are detected.
If you use an IT managed services firm such as TechGen, that firm can handle the Dark Web reports from providers like ID Agent for you, and alert you when necessary.
Can you get Your Company’s Data off the Dark Web?
Chances are, if you find your company’s data in one place on the Dark Web, it’s been shared and stored on multiple servers. Dark Web monitoring tools can’t remove your data from the Dark Web — they can only tell you it’s there.
Still, Dark Web monitoring for your business is a useful tool. Based on the type and location of your data that’s found on the Dark Web, you can get valuable clues about how it got there. That can be a strong wake-up call about how to prevent further breaches.
Human error is the most common cause of data breaches. Hackers often succeed only because employees don’t follow basic cyber hygiene. So here’s what you need to do to make it more difficult for the bad guys to target your business:
3 Ways to Keep Your Data off the Dark Web
1. Regular cybersecurity training
This should include phishing training, because phishing and other email compromise attacks are the most prominent method for cyber thieves to sidestep your firewall and other network protections.
To be effective, cybersecurity training needs to be more than a once-per-year snoozefest. (See our recent post on cybersecurity awareness training.)
2. Use a password manager
Weak passwords — especially those that employees use on multiple sites like the third-party sites shown above — are among the most common data for sale on the Dark Web. Use a password manager such as LastPass to create strong, unique passwords for every site. (More on password security.)
3. Enable two-factor authentication (2FA)
2FA adds a second layer of security to passwords, to make it more difficult for attackers to gain access to a network or a device. For example, in addition to entering a password on a laptop, a user is required to enter a code that is texted to the user’s cell phone, or provided by an app.
- Make sure you’re protecting your email account with 2FA — Office 365 and Gmail support this.
- Audit your online accounts and turn on 2FA for any that support it. (Twofactorauth.org will show you those that do.)
Get a Professional Cybersecurity Assessment
Beyond these three cyber hygiene practices, you should have your complete IT system reviewed by cybersecurity experts with experience serving small to mid-sized companies. That’s my line of work, of course, so while this is a self-serving recommendation, it’s the truth.
System-level protections, such as antivirus/malware installation, firewalls, and VPNs, should be handled professionally and updated regularly.
Human error and hackers can still circumvent these protections — even at the biggest and best-protected companies. But the key is to make it harder for the bad guys to do their dirty work, so they just move along to easier prey.
I’m not trying to add to the litany of fears we have as business owners. Instead, I’m hoping this basic roadmap of Dark Web threats will help you make informed decisions about how to protect your data, IT systems, and clients from these threats.