Keep your identity and information off the dark web with security awareness best practices
Information such as where you work, your passwords, personal email account credentials, credit card information, login details for online shopping sites, and other personal information are valuable commodities on the dark web.
Cyber criminals are operating on the dark web to monetize the information they have stolen by selling it to the highest bidder with no concerns about how your social security number or corporate login information is used. This is the human impact of a data breach.
For example, when your organization is hacked by a phishing email, the impacts run far beyond the monetary costs of restoring servers, regaining public trust, and lost customers. Once a cybercriminal has access to your organization’s confidential information and that of all your employees, the personal losses and damages know no bounds.
Plain and simple, stolen information is extremely valuable on the dark web. A recent Wired article underscores the wide net cybercriminals cast, showing no limits on the types or size of targeted organizations.
In May 2020, the hacking group ShinyHunters confirmed it had stolen information from a range of companies. Those organizations included Unacademy, an Indian education company, dating app Zoosk, meal kit company Home Chef, Minted, a design-focused marketplace, Mindful, a health and wellness site, the Minnesota Star Tribune, and Microsoft’s GitHub account.
While new data holds the most value on the dark web, cyber criminals continuously repackage old data, selling it to multiple buyers. This means if your organization is hacked, all your data, including information about your customers, employees, and partners, can be sold to an untold number of cybercriminals, each with different motives. As some information never loses its value, the impact of stolen data may not be noticed immediately, and it may take some time for cybercriminals to take advantage of the information they have stolen.
The dark web is not a myth – it’s a real revenue-generating marketplace where stolen information is a hot commodity. It doesn’t take much for your organization’s information (or your personal information) to end up on the dark web – one click of a phishing email link or a guessable password, and a savvy cybercriminal has easy access.
The best way to protect your data from a data breach or hack is with security awareness. Real-world examples of what happens to stolen data go a long way in reinforcing to your colleagues the importance of being click-aware and following security awareness best practices.
What is the Dark Web?
The dark web is an area of the internet that isn’t accessible with a Google or Bing search. This hidden part of the internet is mostly a marketplace for criminal activity.
Often thought of as the stuff of science fiction and crime movies, the dark web is real and extremely active. Essentially, whatever you want to buy – you can get on the dark web. Credit card numbers, guns, drugs, stolen account details, stolen Netflix login details, software that helps you breach personal computers, and more are available for a price on the dark web.
In his 2019 study, Into the Web of Profit, Dr. Michael McGuires of the University of Surrey digs into the dark web listings. Consider these items for sale and the real-world impacts should this information get into the wrong hands:
- Login credentials to a $50,000 Bank of America account priced at $500.
- $3,000 in counterfeit $20 bills priced at $600.
- Seven prepaid debit cards with a $2,500 balance priced at $500.
You cannot stumble onto the dark web with a Google search. Access to the dark web is available only with the Tor browser. This browser is designed to hide your identity and makes it impossible to trace your IP address.
While we’re focusing on the illegal sales on the dark web, not all dark web activity is related to the sale of stolen or prohibited goods. The dark web’s anonymous nature allows people who live in countries or environments where free speech or even internet access is restricted to communicate and network, despite still being considered illegal activity.
The dark web is also home to hard-to-find books, current events discussion groups, chess and gaming clubs, and legitimate news sites.
The Roots of the Dark Web, Data Breaches, and How Criminals Profit
The dark web traces its roots back to the very early days of what eventually became the internet as we know it today. Dating back to the 1960s with ARPANET and evolving with the public availability of the internet and the increase of illegal music streaming sites in the 1990s, the release of Freenet in 2000, and eventually the of the Tor browser launch in 2002 – the dark web has become very much like an onion.
As you peel back the layers of the dark web, you find stolen data, free speech activists, drug and gun sales, sex trading, whistleblower networks, and a vast marketplace for anything that can be bought, sold, or stolen.
Silk Road is just one example of how the dark web is used for illicit and criminal activity. Silk Road was a dark web drug marketplace operated by Ross Ulbricht. Ulbricht was arrested and sentenced to a double life sentence plus 40 years for his role as the founder of this drug and stolen goods marketplace. Although this network was shut down in 2013, the proceeds stored in bitcoin were only seized by the U.S. Department of Justice in November 2020.
“Earlier this week, the bitcoin community was shocked when a digital wallet containing roughly $1 billion in bitcoin – thought to be proceeds from the now-shuttered dark web drug marketplace Silk Road – was emptied by an unknown individual. Now, those responsible for cleaning out the funds have revealed themselves: it was the U.S. government.”
And this is precisely why it’s critical everyone in your organization understands the severity of lapses in judgment that trigger phishing attacks, password theft, ransomware, and data breaches have on your organization and the people associated with it.
The costs of a data breach do not stop when the network is rebuilt, and relationships are restored (hopefully) with customers, investors, and employees. The stolen information lives on forever on the dark web – being traded, bought, sold and used to:
- Create fake digital identities
- Hack email accounts
- Reroute mail
- Open credit card accounts
- Shop online under an assumed identity
- Apply for mortgages, car loans, and government benefits
- Create forged documents or commit identity theft
There are no limits on how cybercriminals profit from the dark web.
While the news headlines about the dark web focus on drugs, guns, and other illicit activity, the damage being done to everyday individuals who have had their email hacked or credit card information stolen cannot be overlooked.
How to Keep Your Confidential Data off the Dark Web
As a CISO or security leader, you must give your organization and colleagues every opportunity to stay protected from cybercriminals, data breaches, and cyber threats. The best way to do this is to build a cyber-secure and aware organization.
Doing so requires emphasizing security awareness 365 days a year. As you know, the dark web is always active, and cybercriminals do not take days off for holidays or pandemics.
More than ever, with a shift in how people live more online with remote work, virtual conferences, the boom in online shopping, virtual school, and entertainment – professional and personal information is at a higher risk of being stolen and sold on the dark web.
To keep your organization’s confidential information off the dark web, remember these keys to security awareness and data protection:
- Remind your employees of the real-world impacts of identity theft. Give them access to security awareness training on identity theft and how to stay protected.
- Establish strict password and account rules for everyone in your organization. Reinforce these password policies with real-world training scenarios showing how cybercriminals use stolen passwords to steal and do damage.
- Give employees easy access to password, phishing, and data protection security awareness training videos and micro-learnings.
- Keep lines of communication open with employees about cyber security risks and threats. Make it clear you want employees to contact you immediately if they think they have clicked a phishing link, accidentally exposed their password, or have received a suspicious text, phone call or email.
- Build a cyber-aware culture with regular communication, newsletters, campaigns, and cyber-heroes. Encourage people to proactively learn about the dark web, data breaches, and data protection. The more people know, the more alert they are to threats.
- Regularly monitor employee awareness of phishing and ransomware attacks with phishing simulations and ransomware simulations.
- Take advantage of free online resources such as the Terranova Cyber Security Hub to give your employees engaging and relevant content about cyber security best practices.
- Define network access rules to limit the use of personal devices and the sharing of information outside of your corporate network.
- Ensure all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware protection and anti-spam software.
- Remind employees of remote and mobile working best practices. Reinforce the risks that come with open and unlocked laptop screens, free Wi-Fi networks, and working in public.
- Obtain dark web monitoring services. Some security organizations will monitor the dark web for any information or activity related to your organization.
An informed and cyber-aware organization helps you keep your confidential data off the dark web. Take steps now to keep your data and employees safe from the real-world impacts of stolen passwords, fake websites, and ransomware.
Share This Section On Data Protection with Your Employees
7 Ways You Can Protect Your Information from Cybercriminals and the Dark Web
When you log onto the company network or buy something online, the last thing you’re thinking about are stolen passwords, data leakage, or data breaches.
And while we don’t want you working and interacting online in a state of fear, we want you to be aware of the real threats that exist regarding your personal and company information. Ultimately, cybercriminals want to access information for illegal use, often selling it on the dark web.
To protect and keep your information secure, remember these 7 keys to cyber security:
- Never share your password and username details with colleagues, friends, family members, or the IT department. If you accidentally provide this information, change your password immediately and contact your manager.
- Always create a unique and secure password. When creating passwords for personal accounts, use a combination of at least eight upper- and lower-case letters, numbers, and symbols. Do not use names, words, or familiar phrases in your passwords.
- Be aware of the cyber threats arriving daily in your email. Pay attention to emails from banks, companies, and charities asking you to update passwords, confirm account details, or proving you are a real person.
- Do not click links, download attachments, or reply to unsolicited emails or text messages. Always visit the website directly by entering the URL or using favorites/bookmarks to access these websites.
- Do not enable browser storage of account usernames and passwords. Doing so makes it very easy for cybercriminals to access all your online accounts, regardless of how strong your passwords are.
- When in doubt – ask questions. If you receive an email from a manager asking you to transfer funds, share documents, or confirm account details – contact the person directly and alert the IT department.
- Know the signs of social engineering. Cybercriminals send convincing emails, text messages, and voicemails urging you to act quickly. They may claim your data has been stolen, and you need to update your credit card ignoration immediately or pretend to be a family member who urgently needs money.
We want you to be proactive and involved in our organization’s cyber security. Please be our first line of defense against cybercriminals and data breaches.
Cyber Security Hub : Access Exclusive Cyber Security Content
Take advantage of the free Cyber Security Hub – it is your one-stop cyber security awareness and knowledge center with one-click access to our Strong Password Kit, COVID-19 Kit, Work From Home Kit, Phishing Kit and more.