The dark web and protecting small business.
What Is The Dark Web?
The United States government created the dark web’s multi-layered tor (the onion router) technology in the mid-1990s to allow spies to anonymously exchange information.
The dark web attracts a lot of bad actors. They buy and sell malware, computer exploit kits, passwords, credit cards and proprietary business information obtained using ransomware, malware and account hacking.
The dark web is not all bad. It is used by journalists and law enforcement, and also in countries where certain free, open communication is restricted or punished. By and large though, the dark web is full of dark stuff, and even visiting it can put you in danger if you are tracked and targeted by one of it’s unsavoury characters.
Finding the dark web isn’t something you can just Google. Users need specific software, configurations, and even authorization to access the Dark Web. Users hide their IP address and use encryption to anonymize their identity for maximum privacy. And that makes them very hard to track. As a result, there is a lot of illegal activity on the Dark Web. Commonly found for sale item include:
- stolen credit card or bank account numbers
- guns, drugs, counterfeit money, child pornography and human trafficking
- malware and tools to breach businesses
- leaked business data
- stolen access credentials for email and other business accounts
How Does This Impact Your Business?
Your own and your employees user names and passwords could be sold on the dark web. Without systems in place to alert you to unknown devices attempting to log in to your accounts, you can be breached.
Breaches costs hundreds of dollars per record and the average small to medium sized breach costs $120,000 in remediation, downtime and damages.
There is also the breach report to contend with. It is require by law to report all breaches now.
There is also the client notification process, where you must disclose the breach to clients.
Any proprietary plans or research can be stolen and sold.
A breached computer can be used to install ransomware and hold your business further hostage.
Your business reputation and day to day operations would do well to avoid all of the above. Fortunately, many cyber threats are thwarted with even basic monitoring and management processes.
One 2019 research study found that 60% of all listings on the Dark Web could harm enterprises. The number of those bad-for-business Dark Web listings had also risen by 20% since 2016.
These Dark Web listings posed business risks such as:
- CEO / owner account hacks
- fraudulent wire transfers from business bank accounts
- undermining brand reputation
- loss of competitive advantage
- denial of service attack or malware disruption
- IP theft
- fraudulent activity
- ransomware installation for financial gain
Small Business Are At Risk – Even If You Have Antivirus
You might think your business is safe. You’ve got a top-notch firewall and antivirus protection in place, but that’s just the beginning.
Perhaps you believe you are too small to be a target. Why would any cybercriminal care about your data? Small is an easy target. And many of these exploit kits are automated attacks, set to run against anything they can ping – business big and small.
Headlines sensationalize stories of large organizations being hacked – Home Depot, My Fitness Pal, The Marriot Hotels. We shake our heads at their lack of security and then move on. Now, you might think you don’t care if someone buys a pilfered list of usernames and passwords for My Fitness Pal, but if your employee used their My Fitness Pal password to access a work account – now you have a problem – and you are not even aware of it yet.
Hackers rely on our bad habit of re-using passwords, and they also have automated database runs where they import stolen log in credentials and check for matches against other accounts. It’s odd to think of cyber criminal activity as a highly efficient, fast adopting, technologically driven “industry”, but it is. And that should motivate all business owners to adopt technology in defence.
Employee education, password security enforcement and Two Factor Authentication go a long way to protecting your business against leaked credentials, and are low cost.
Beyond those basics, you need IT professionals on your side, keeping watch over every device and authorization attempt.
Privacy specialists and cyber security researchers share their findings, which illustrate that Dark Web victims often include medical practices, dental offices, accounting practices, retailers, school districts, restaurant chains, and other small businesses.
Worse still, Dark Web information is up to twenty times more likely to come from an undiscovered and unreported breach.
Despite your best efforts on your end, you could still be at risk? There are several strategies you can adopt to minimize threats.
Protecting Small Business From The Dark Web
If your data is on the dark web, there is little you can do after that fact. Therefore, prevention is your top priority.
Invest in cyber security tools and services that allow you to be proactive and have strong cyber security procedures in place.
Antivirus is necessary but not enough.
Daily and weekly software and security patching is necessary as well. All the software you use has new security issues discovered within it’s code regularly. The developers of the software release patches to fix those security issues. If you don’t apply the patch, you are vulnerable. Sadly, most employees ignore computer prompts to install patches and restart computers. By outsourcing and automating this process, you close many security gaps with one step.
Monitor every device and cloud account for log in attempts, and only allow log ins from authorized devices with the correct credentials. Your IT Management company will setup and maintain these systems for you.
Have the ability to remote wipe a device if it is breached, lost or stolen. This limits risk of data leaks or data ending up on the dark web.
Organize and limit your staff’s access to company information based on their job role and responsibilities. For example, someone on the marketing team doesn’t need to be able to get into the sensitive information in the HR database. So, make sure they don’t have those permissions and access rights.
When staff change roles, their access rights should, too.
When staff leave your company, all access from all devices must be revoked. Their email password will still work if you don’t have tools and processes to lock out their access. This means they can leave the office, access work email on their mobile phone, and do a lot of damage. This is all preventable so make sure you set up the right systems to protect your business from bad actors – former employees and cyber criminals alike.
It’s important to educate your employees about cybersecurity best practices. These include:
- avoiding credential reuse – encourage them to use password managers to store random, hard-to-remember passwords;
- encrypting devices that access company data;
- restricting access to company data to approved devices only;
- questioning social engineering and phishing tactics, including emails with malware attachments or links to false sites with prompts to reset passwords or login access.
Your business might also sign up for monitoring, which keeps an eye on the Dark Web for any data related to your business.
How We Can Help
As your managed service provider, we serve as your IT department – keeping your business in the light. We provide:
- monitoring and insight;
- password management;
- user access management;
- device management;
- data encryption;
- email security;
- threat detection and remediation tools;
- small business IT expertise.
Our Toronto IT consultants can plan and implement your cybersecurity services and protection and support you and your team so that you can work with ease & security every day.
Disaster prevention and recovery is less costly and less stressful than the alternatives.
Talk to us today about prevention and security for your business.