Data Breach Digest: Dark Web 101: What it is and how to keep your data safe

Sept. 1, 2017
Companies cannot use their unfamiliarity with dark web marketplaces as an excuse not to act

How much do you think your data is worth? How much would you pay for your email password or bank account user name? Turns out these credentials can be bought for as little as $1. Buying vetted, high quality credit card details – including card number, billing address, birth date, and online account information –  will only put you out $30. These items are bought and sold everyday by criminals of varying skill levels on the dark web.

The dark web can be difficult to understand – in the simplest terms, it is an area of the internet where illegal goods are bought and sold on the black market. While items such as guns and drugs can be purchased in these marketplaces, many of them specialize in selling stolen information. Data being sold across these platforms ranges from user credentials to social security numbers to intellectual property. Although many parts of the dark web can only be accessed with special browsers and software, the dark web – and the sale of stolen data – is becoming more mainstream. In fact, many of these illegal marketplaces are easily accessible if you know which words to search – no special tools needed.

Not only is data being sold in these marketplaces, so are the tools to steal it. Now even the least computer-savvy individuals can launch DDoS attacks and ransomware with the click of a button.

Given the numerous cyber threats companies face every day and the number of hackers trying to access their data, understanding the dark web and monitoring sensitive information should be a no brainier. However it does not appear that many companies are taking it seriously – putting themselves and consumers at risk. According to the Ponemon Institute, only 15 percent of companies are subscribing to dark web monitoring services.

While the unknown aspects of the dark web can be intimidating for businesses, this cannot be an excuse not to act. Protecting your data and consumer information needs to be a multifaceted approach. The following steps can help companies keep their data off of these illegal marketplaces, and protect themselves if their information does end-up on the dark web.

Step 1: Set-up Your First Line of Defense

Ensuring your company has a strong defensive position is crucial to preventing a breach and keeping your data out of the wrong hands and off the dark web. While this does include setting-up advanced, multi-pronged, layered defenses to protect data and detect breaches, companies should not forget the most basic aspects of protecting their information: creating strong passwords, training employees about cyber threats and updating software.

As a best practice, companies should prioritize understanding what data they are in possession of and where it is stored. This is key to quickly identifying if a breach has occurred and exactly which information was compromised.

Step 2: Sign Up for Business Credit and Dark Web Monitoring 

The reality of today’s world is that it’s no longer a question of if your company will be the victim of a data breach but when. Despite taking the right steps, there is a real chance your company will be breached, and that you may be unable to detect the breach immediately. Take advantage of software solutions that can help monitor the security of your business. A monitoring service can keep track of your business’s overall health and mitigate the risk of breach. Monitor employee and customer credentials and business credit scores to detect fraudulent activity early. Investing in business credit and dark web monitoring services can help your company more easily identify fraudulent activity early. While there is no way to take the information off the dark web, your company can then begin the forensic analysis to determine where the breach occurred, notify the appropriate regulators and take steps to protect impacted stakeholders.   

Step 3: Consider Remediation Steps

Following a breach, companies should pay special attention to meeting all regulations required by federal, state and local laws. However, regardless of the law, companies should always consider offering consumers identity protection services. In fact, 63 percent of consumers want identity protection following a breach, and taking this simple step can help save your company’s reputation.  When selecting a protection product for the affected breach population, organizations should have a strong understanding of the various product features and capabilities. At a minimum, the product should include: consumer credit report, credit monitoring, dark web and internet records scanning, fraud resolution services and identity theft insurance.

Companies are faced with a barrage of cyberthreats on a daily basis, and are constantly working to prevent, detect and thwart attacks. As hacking technology becomes more and more accessible to the everyday user, monitoring the dark web is the next step to securing company and consumer data. With the demand for stolen data growing, this is best way to ensure your company can stay ahead of the game and give your customers peace of mind.

About the Author: 

Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at [email protected].