Shining Light on the Dark Web – Cyber Risk Management Strategies to Minimize Impact on Your Business

Posted in: Commercial Insurance

There’s a suspicious-looking person in a trench coat typing away at a keyboard in a dark room. Are they stealing data? Selling drugs? Hiring hitmen for a job? This is what we think of when we hear the term dark web. In a recent webinar PSA hosted with Emily Wilson, VP of Research at Terbium Labs, we destigmatized the dark web by exploring what it is, what’s hosted there, and the different cyber risk management strategies to protect data from getting on the dark web.

What is the dark web?

The dark web has a negative reputation because it’s dramatized in TV shows, movies, and the news. However, at its core, the dark web is just another part of the internet. The truth is, criminal activity doesn’t just take place on the dark web—it’s spread across the internet (even to places like social media). There are three parts of the internet; here’s a breakdown:

1. Open web—the part of the internet we use every day (things you can find on google)
2. Deep web—not accessible through search engines, but doesn’t require special technology (it’s not being indexed—and you might need credentials. This can be for everyday things like bank accounts, or for criminal activities such as carding markets where credit card credentials are traded and sold).
3. Dark web—not accessible through search engines and generally requires a special dark web browser other than Chrome, Firefox or Internet Explorer.

According to Emily, “the dark web is designed for privacy and anonymity. However, the desire for privacy does not equate to criminality.” This is neutral and has no direct correlation to anything illegal or criminal.

What type of information is available on the dark web?

Both legal and illegal content exist on the dark web. Believe it or not, the dark web is a very similar interface to the sites you use every day. On any given site, there may be vendor and product reviews, and paid advertising—just like on Craigslist or Amazon. Here are some examples of material hosted on the dark web:

Legal content

• News sites, communities, and journalism resources
• Social networks and popular websites
• Music, games, fan forums, and funny videos

Illegal content

• Drugs for sale
• Personal information
• Stolen payment cards

Emily states that the fraud economy is incredibly resilient because it’s built upon digital, interchangeable goods. The “fraudsters” don’t care whose data they have, they care about what kind of data they have, and that’s difficult to disrupt.

What kind of data is traded on the dark web/in the fraud economy?

To build a strong cyber risk management strategy, it is important to understand the type of information that cybercriminals value. These are some of the top examples:

• Personal information (like addresses and Social Security Numbers)
• Financial information (such as bank passwords)
• Corporate data (for instance corporate email addresses or W2s and tax information)
• Guides and tutorials (like instruction manuals on how to commit cybercrime)
• Services and tools (such as exploit kits and phishing pages)

What can we learn from this?

How a business valuates their own data is not always aligned with how it is valued by cybercriminals. While confidential intellectual property is of highest importance to you and your clients, employee credentials could be more valuable on the dark web. This can cause businesses to underestimate exposures leaving critical data unprotected. Cybercriminals are interested in the following when collecting data:

1. Can I make money from it?
2. How much money can I make from it?
3. Can I use it again?

To get ahead of a data compromise, you have to understand that your information is exposed. You have to be proactive before well-resourced cybercriminals cause problems.

Cyber risk management strategies to protect your data

Here are five ways to improve your cybersecurity by limiting what shows up on the dark web:

1. Identify your sensitive data and technology “crown jewels” so you know what to protect. Complete a data-mapping project. If that’s not feasible, ask key people in each business unit what data they collect, where they store it, and what hardware and software they use to do their job. This will give you an idea about what technology and data you have and what is mission-critical.
2. Simplify and focus your cybersecurity efforts by addressing likely threats first. Otherwise, you might become overwhelmed and not do anything. At minimum, you should follow some essential best practices. To get started check out:
   • The top 20 critical controls list by the Center for Internet Security.
   • Carnegie Mellon University’s Cyber Hygiene Baseline discussing 11 best practices.
3. Apply your internal cyber risk management best practices to remote users and vendors. Regardless of how sound your internal cybersecurity process is, you could still be responsible if your data housed/managed by 3^rd party providers and vendors is compromised. Make sure they also have proper cybersecurity measures including cyber and professional liability insurance to mitigate your exposures. Also ensure your remote users and employees can access systems and data securely.
4. Invest in threat detection capabilities. Often businesses are breached months before they realize what happened, and by then their data is leaked to the dark web. To prevent this and catch cyber-attacks early, focus on improving your threat and incident detection capabilities, such as dark web monitoring.
5. Prepare to respond. Ideally, you should have a documented Incident Response Plan that you’ve practiced and tested. If nothing else, sit down with your core group of people and create a process on how you would handle a potential cyber incident. How would you respond? What external resources will you need to pull in? Think about your cyber insurance policy—will it cover your direct and indirect expenses and opportunity costs? Do this now so you don’t have to scramble in the middle of a crisis.

There’s nothing you can do to be 100% protected from cybercrime. But there are a lot of good cyber risk management resources available to help you decrease your exposure. For more information contact me at jnapp@psafinancial.com.

Interested in learning more?

Watch the recorded webinar

About The Author

James (Jim) Napp

Jim is the lead Account Manager of PSA’s Technology sub practice specializing in Technology Errors & Omissions and Cyber Liability insurance coverages. He focuses on supporting technology companies as well as any other businesses needing cyber insurance.