Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
If you want to scare the heck out of yourself, read this report from VPNoverview on typical “dark web” data theft sites, including the cost for compromised data such as PayPal transfers, bank cards, and full identities.
Don’t bother wondering whether criminals are buying and selling your firm’s data on the dark web.
Assume they are.
The dark web is a sublayer of the internet that isn’t visible to standard web browsers such as Google and Bing.
It can be worth the expense to confirm this via a dark web scanning service. But scanning doesn’t directly protect your data – it’s valuable only as one tool for improving your staff’s overall cyber-hygiene.
Cyber-thieves will always target financial services companies. And the risk is increasing substantially for this industry.
Among the top cyber-crime trends for 2020 forecast by the cybersecurity authority, Kaspersky, is increased targeting of financial services, including investment apps, mobile banking, financial data processing systems, and other fintech/banking services.
Inevitably, a good portion of data that thieves harvest will be peddled on the dark web.
Where your data goes on the dark web
Unlike the regular web, a.k.a. the “surface web,” dark web sites aren’t indexed by these search engines, so it’s difficult or impossible to trace traffic and/or transactions back to a specific user.
Although the dark web is used for some legitimate purposes, its anonymity makes it a magnet for illegal endeavors, such as selling stolen data. Typical dark web hubs of criminal activity include:
- Hacker community forums and chatrooms where cyber-thieves trade tools and methods used to steal data, and to report software vulnerabilities;
- Data auction sites or “bazaars”;
- Peer-to-peer file sharing networks for exchanging stolen data; and
- Command-and-control servers that harvest data through malware and botnets.
Types of data that cyber-thieves harvest for the dark web
The most damaging types of data that may be harvested from your company for sale on the dark web include:
-
Online account credentials, including the user ID and password for email, banking, and third-party services such as PayPal, DropBox, Mailchimp, etc.;
-
Network credentials, e.g. user ID and password for your business’s IT network access, including remote desktop protocols that your remote staffers use, and administrative accounts that really give hackers the keys to your kingdom;
-
Customer data, including identity (name, address, phone, Social Security, social media accounts, etc.), credit card, bank account and routing numbers, and more;
-
Employee data such as your HR records, 401(k) and bank account information, and everything listed above under “customer data”;
-
Proprietary information your company’s competitors or other bad actors might profit from by copying or compromising your products/services; and
-
Vulnerabilities that hackers have already discovered in your IT network, but may not have exploited yet.
What dark web scanning/monitoring can do
Dark web scanning companies search for data containing any email domains and unique identifiers (called IP addresses) connected with your firm and its network. They run continuous scans with artificial intelligence, such as bots, sometimes augmented by people who know their way around the dark web.
Don’t do it yourself. The hacker communities know how to detect amateur detectives – and how to make them pay an even higher price for poking around.
Instead, work with a firm that specializes in dark web monitoring for small- to medium-sized businesses (SMBs), such as ID Agent.
Firms like ID Agent can do an initial dark web search for data from your company, including compromised company email addresses and passwords, and then update you whenever new compromises are detected.
If you use a managed IT services firm, it can monitor the dark web scanning provider’s reports for you, and alert you when necessary.
Can you remove your company’s data from the dark web?
If you find your company’s data in one place on the dark web, it’s been shared and stored on multiple servers. Dark web monitoring tools can’t remove your data from the dark web – they can only tell you it’s there.
Still, dark web monitoring for your business is a useful tool. Based on the type and location of your data that’s found on the dark web, you can get valuable clues about how it got there.
For example, a dark web scan may turn up multiple identical logon credentials for a single employee. That person appears to be using the same logon ID and password for your network in addition to multiple third-party sites, such as your broker/dealer portal, an HR provider, your CRM system, etc.
That’s a common mistake that employees make, and cyber-thieves can use those credentials to hack into your system and create plenty of other mayhem. Employees who fail to follow basic cyber-hygiene are the largest cause of data breaches and other cyber-crime.
Three steps to keeping your data off the dark web
Given that you can’t remove your company’s data from the dark web once it’s there, your best strategy is to improve your employees’ cyber-hygiene so it’s more difficult for thieves to get their virtual paws on your data. Start with these three steps:
1. Regular cybersecurity training
This should include phishing training, including monthly or quarterly mock phishing emails sent to your employees to test their reactions. Phishing and other email compromise attacks are the most prominent method for cyber-thieves to sidestep your network protections.
To be effective, cybersecurity training needs to be conducted more than once per year. It doesn’t have to be formal training. Quarterly updates about a relevant cyber-crime trend can be enough – just something that keeps employees aware of the threat.
2. Use a password manager
Weak passwords – especially those that employees use on multiple sites like the third-party sites – are among the most common data for sale on the dark web. Use a password manager such as LastPass or Dashlane to create strong, unique passwords for every site.
3. Enable two-factor authentication (2FA)
2FA adds a second layer of security to passwords, to make it more difficult for attackers to gain access to a network or a device. For example, in addition to entering a password on a laptop, a user is required to enter a code that is texted to the user’s cell phone, or provided by an app.
Make sure you’re protecting your email account with 2FA – Office 365 and Gmail support this.
Audit your online accounts and turn on 2FA for any that support it. (Twofactorauth.org will show you those that do.)
No cybersecurity measure is perfect – But do what you can
But hackers are finding ways around 2FA.
Does that mean you shouldn’t bother with it? No – you’re still better protected with 2FA than without it. And it’s the same for just about any measures you can take to keep your data off the Dark Web.
Nothing will protect your data completely. Even so, every step you take to make your firm a less desirable target for cyber-thieves could prevent an attack that causes serious losses for you or your customers.
Reid Johnston is founder and CEO of TechGen, a Minneapolis-based IT managed services provider specializing in cybersecurity for small- to medium-sized financial services companies.
Read more articles by Reid Johnston