When your company’s computer systems are hacked, the chances are that some of the stolen data will end up for sale on the dark web. No business, large or small, can afford to look away.
The dark web has multiple identities. Parts of this vast information and communications universe are relatively benign. Some inhabitants might want nothing more than an anonymous place to express their political ideals, access banned media, meet like-minded people and generally explore their identities. But the dark web also hosts a criminal underworld where people in closely guarded back rooms trade in illegal goods and services – weapons, drugs, illicit content and stolen information such as intellectual property, IP addresses, credit card details and passwords.
The highly publicised Ashley Madison data breach offers a sobering example of what can happen to a business and its customers when sensitive data is exposed and exploited, yet business leaders often know little about the dark web. They don’t know if their data has been posted on this huge bunch of unindexed websites and they don’t want to know because they think there’s nothing they can do about it.
Start with the misconception that once sensitive data has left the building it’s ‘game over’ and CEOs risk missing an opportunity to limit damage from information that has been stolen but hasn’t yet been sold. Start with an awareness of how the dark web works and the tools available to penetrate its deepest recesses and incident management takes on a focused, more targeted edge.
Think of the dark web as a marketplace. Thieves might sell your company data straight to a trusted contact or post titbits of information to lure prospective buyers. They might divide it into smaller packages or sell it as a job lot to the highest bidder. They might sell the prime cuts to one person (a recent Experian report suggests that passports can fetch up to $2,000) and auction off the gristle to the hoard (a full package of customer information including account numbers fetches just $30).
Lone wolves might use your intellectual property to buy influence with criminal gangs or to showcase their talents in order to secure a bigger and more lucrative commission. And while the criminals make deals, the vast majority of companies whose details are being traded bask in ignorance.
A study sponsored by IBM suggests that it takes an average of 197 days for companies to become aware of a breach, never mind realise that their data is in the dark web shop window. Those who act within 30 days save an average of $1m in containment costs. With access to a ready market, criminals trading on the dark web are able to act very quickly and the message from IBM is that companies must follow suit.
Despite being hidden from search engines and masking IP addresses using layers of encryption and multiple computers to relay messages, the dark web isn’t entirely a riddle, wrapped in a mystery, inside an enigma. There are ways to find out whether your company’s data is up for sale, and it is possible to take action. The question for many c-suite executives and their boards is what to do and who to trust?
- Don’t mount your own search
Without the right tools, combing the dark web is like looking for a needle in a haystack. It could expose your company to damaging malware and searching questions from the regulator. Cyber security consultants may be able to advise you on what information to search for and how to look for it. Ensure the company you work with shows you exactly what they’ve found. It is also worth asking for historic information present on the dark web prior to your commission.
- Choose targeted tools
Fully automated surveillance products monitor the dark web 24-7 for possible threats. However, those that cast their net too widely are likely to return an overwhelmingly large volume of alerts, few of which are real threats. The danger from such ‘false positives’ is that when the threat detection tool cries wolf, people stop listening. More advanced tools cross-reference and reinforce potential warning signs to filter out the false positives, pointing your company in the direction of the alerts you need to prioritise.
- Commission wisely
If you have in-house cybersecurity expertise, you might simply want to commission a service that detects threats and sends notifications, so you can take action. If that’s the case it’s vital to create systems, protocols and procedures that ensure you can respond quickly and appropriately to high-level alerts. If you don’t have internal expertise or lack the capacity to respond rapidly you might choose to work with an organisation that immediately follows up if they discover that critical information or assets belonging to your company are about to be sold on the dark web. Be clear about their credentials and services and check out their response times.
- Early warnings and post-breach analysis
It’s possible to purchase early warning systems that act as a sort of burglar alarm. They let you know if someone is rooting around your systems, what they are looking at and how they got in. This information gives you an opportunity to focus your response on addressing specific, active threats before your company’s details end up on the dark web. Consider including post-breach analysis, advice and action as part of the commission. If the company you commission can find out how intruders got in, this will help you strengthen your systems and pinpoint the need for specific staff training/awareness raising.
- Brains and Bots
Criminals operating on the dark web set up invite-only rooms which can be extremely difficult to access. Stolen data is sold in these rooms and the only way to get in is to pass a complex screening process. Humans tend to be better than bots or crawlers at accessing these rooms so consider organisations that employ experienced analysts for this purpose. They will attempt to remove posts or use tactics to disrupt the market and delay its sale. This buys your organisation time to change passwords and take other action to block access.
- Think beyond your perimeter
Companies are responsible for data that exists outside their company walls. For example, you might use a remote server, share information with partner organisations and suppliers or store customer data on a CRM platform. Protecting data within your perimeter is at best a partial solution and may leave you exposed to potential fines for non-compliance with data protection regulations. Some companies ‘watermark’ your information and are able to identify it on the dark web even if the breach occurred outside your perimeter.
Prevailing wisdom suggests that by the time your data leaves the building it is too late. Why follow a criminal down a rabbit hole? What’s to be gained by getting low down and dirty with the kingpins of the criminal underworld? But prevailing wisdom isn’t always right. Incident response can pinpoint specific action based on timely intelligence.
Creating a huge blind spot in your cybersecurity approach is a high-risk strategy. What you don’t know can hurt you, and what you do know can help you. If you know when your systems are being infiltrated, if you know how intruders got in and if you know where your data ends up you can start to take control. It’s never too late.
Phil Chambers is the Chief Operating Officer of Metro Communications.
For more advice about how Metro Communications can protect your confidential conversations and information, visit www.cyberburglaralarm.com