To commit financial fraud, criminals routinely use sites on the “dark web” (also known as the “dark net” or “deep web”). Although dark web sounds mysterious, the primary difference between it and the rest of the internet comes down to accessibility. By design, the dark web offers users anonymity and privacy, which provides platforms and marketplaces for criminals to exchange ideas, data and money.
How can your business protect itself from the threat of the dark web? First, learn more about this threat.
Old Days vs. New World
In the “old days” before the internet, criminals relied on person-to-person connections with fellow crooks. This effectively limited their reach and opportunities. But the web — particularly the dark web — enables them to monetize stolen data, such as credit and debit card numbers, and Social Security numbers. Dark web marketplaces help sellers find buyers, who often pay for stolen data with untraceable cryptocurrency.
The dark web also allows fraudsters to share best practices and learn how to commit certain types of fraud. For example, criminals can buy manuals that describe how to apply for fraudulent government loans or how to commit tax fraud. There’s also education available on thwarting the security defenses at certain companies.
Focus on Vulnerable Data
As frightening as this sounds, there are ways companies can fight back. For example, you can focus your efforts on certain types of data. Although financial statements and intellectual property has value, the most valuable data (and, thus, the most vulnerable to hacking) is the type that can provide a quick return. Cyberfraudsters generally favor personal information, such as bank account and credit card numbers.
It’s essential that you can account for all sensitive data in your company’s possession and that your data security plan provides adequate protection for it from external and internal threats. As you catalogue your data, make sure you have a compelling business reason to retain it. For example, is there a reason you ask customers to provide their date of birth, and is there a reason you keep the dates in your files? If not, consider destroying this data and discontinuing the practice.
Defending Your Castle
The most effective way to prevent your company’s data from appearing on the dark web is to maintain a robust IT security program. No system is foolproof, but the harder it is to gain access to your company’s data, the more likely cybercriminals will move on to a weaker target.
What makes a security program effective? Make sure yours includes:
- Antivirus protection,
- Identity and user access management, and
- Frequent testing.
Consider engaging a third-party security firm to assess your current security. The security firm might deploy a “red team,” to act as an adversary that tries to breach your castle walls. At the conclusion of this exercise, the red team leader will share the results and outline any exposed weaknesses. Then the contractor will recommend improvements that can prevent similar attacks from succeeding in the future.
Keeping Tabs on the Enemy
After you’ve secured your network, the next item of importance is to monitor the dark web for your company’s data. Don’t assume that just because you don’t know about a breach means it hasn’t happened. Monitoring the dark web often provides businesses with the initial tip-off that their security program isn’t effective.
If you find data that appears to be stolen from your databases, ensure that you’ve plugged the security gap. You’ll also need to notify customers (and other applicable stakeholders) about the theft to comply with applicable laws and regulations.
Of course, accessing and navigating the dark web requires some degree of technical knowledge. Therefore, hiring a specialist to search for your company’s data probably makes the most sense. Keep in mind that such searches may not yield immediate results. It can take months, sometimes years, for stolen data to appear on the dark web.
The very existence of the dark web can provide crooks with an advantage over companies and individuals. But if you devote the proper resources to defending your data and regularly monitor activities on the dark web, you can limit the damage caused by these fraudsters.