The Internet that you and your employees use daily is known as the surface web. This network of websites, including yours, is powered by search engines. Everything on this part of the web is available to the general public.
There's another segment of the web that most companies don't access—the dark web. As its name suggests, this is a hidden part of the web, and activities that go on there are often of a negative nature.
"The dark web is accessed by using special software and web servers [called] centralized computers hosting webpages. The most common of these special software are TOR [The Onion Router] and I2P [Invisible Internet Project]," says J. Eduardo Campos, formerly a cybersecurity advisor for a major tech company and currently co-founder of the consulting firm Embedded Knowledge.
"These dark web servers use multiple layers of security—encryption—to maintain anonymity for users and site owners via masked IP addresses," continues Campos. "TOR and I2P servers mask the web addresses of information and users. You can only find those addresses using special software."
The core principles behind TOR were originally developed by US Navy cryptologists. The software was released in the early 2000s, explains Pedram Amini, CTO of InQuest, a network security solution platform.
"By running Tor, internet communications are randomly routed through a global network of relays," says Amini. "This provides a valuable anonymization (anonymity) service for journalists and activists who may be targeted by their regime. That same anonymity also empowers illicit behavior."
What Happens in the Dark...
Due to the ability to be anonymous on the dark web and hide behind multiple layers of encryption, the space is a hotbed of online criminal activity.
"Primary uses for the dark web include illicit drug and weapon purchases, criminal-for-hire boards, the exchange of stolen information and more," says Amini. "Cryptocurrencies are typically used in the sale of these criminal goods and services."
"The dark web is best understood as a bad neighborhood within the deep web, that part of the web that search engines can't see and access," says Adam Levin, founder of the cybersecurity company CyberScout. (He is also author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.)
The most well-known case of criminal activity on the dark net occurred with the Silk Road, notes Campos.
"That was an illicit drug-selling collective that law enforcement dismantled," he explains.
Implement accurate and efficient security tools that monitor for and detect security threats in real-time.
—Uzi Scheffer, CEO, SOSA
The Dangers Lurking in the Dark Web for Businesses
The criminal activities that occur on the dark web can directly affect your business. For instance, your employee or customer data could be stolen.
"A popular product sold on the dark web is referred to as 'fullz,' referring to a 'full package' of personally identifiable information," says Levin. "Such a package contains an individual's name, Social Security number, birth date, account numbers and other data."
Information stolen from companies is often sold on the dark web, according Amini.
"Personally identifiable customer information such as home address and birthdays may be compromised and traded wholesale in such markets," he says. "This includes customer account information, such as usernames and passwords."
Company credit cards may also be stolen and the information sold on the dark web, adds Ted Wagner, CISO, of SAP NS2, a company specializing in national cybersecurity.
It's a major operation with far-reaching effects.
"The dark web often acts as the catalyst behind corporate data breaches," says Uzi Scheffer, CEO of SOSA, a global innovation platform. "Sensitive corporate information and digital assets are at risk. Criminals and hackers target this information, so they can steal the identities of customers and employees, as well as reveal unannounced company announcements that have the potential to sway stock value."
Steps to Help Avoid Trouble With the Dark Web
Once data ends up on the dark web, there's very little that can be done about it. It's best to avoid this from happening to your company, employee or customer data. The following best practices can help.
1. Prohibit employees from using TOR.
"If employees are allowed to access the TOR network, they can easily expose your company to damaging material and/or malware. This would be particularly detrimental to your corporate network," says Wagner.
"Provide clear guidance in employee manuals and train employees on 'clean' internet use," advises cybersecurity attorney Braden Perry, a partner with Kennyhertz Perry. "Use software to block TOR. Make it clear that corporate investigations will be initiated if management suspects that this rule is being broken."
2. Educate employees on security protocols.
"The end user is the weakest link in your protective measures for your network," says Campos.
"This means it's important to teach all employees about cybersecurity measures and compliance with your company's policies," he says. "The more aware and trained your employees, the better."
3. Limit employee access to sensitive data.
It's a good idea to operate on a need-to-know basis when it comes to company data. The fewer employees who have access to company and client sensitive data, the less likely your company is to experience a breach.
4. Employ a comprehensive security program.
"If businesses have good control of their sensitive information, it won't wind up on the dark web," says Levin. "Ensure that privacy protections are airtight. Access vulnerabilities and use vulnerability management programs."
Being proactive is the key to avoiding problems with the dark web, believes Scheffer.
"Take steps to safeguard all systems and data and embed the necessary cybersecurity measures within the foundation of your business' IT infrastructure," he says.
"Implement accurate and efficient security tools that monitor for and detect security threats in real-time," continues Scheffer. "Additionally, guarantee safekeeping with layers of security weaved throughout processes to make a hack unappealing to cybercriminals."
5. Avoid storing sensitive information.
Smaller businesses could lean on larger service providers to reduce their attack surface, suggests Amini.
"Don't store sensitive information if you don't need to," he says. "Payment processing can be offloaded to third parties that specialize in this. In the event of a compromise to your business, customer financial information won't be accessible."
6. Don't reuse passwords.
Passwords are frequently traded on the dark web, according to Amini.
"Many people reuse the same password across multiple services, and that should be avoided," he says. "A compromise on a seemingly innocuous site can result in larger damages if that password is re-used for a more sensitive site, such as banking. Use a password safe to generate and manage random passwords."
7. Take advantage of a dark web monitoring service.
Various credit monitoring services also offer dark web monitoring, says Campos.
"Such a service regularly checks if any personal or company information is showing up in restricted forums on the dark web," he says. "An alert is then sent to the service subscriber with a recommendation on protective measures, [such as] password change or credit freezing."
Read more articles on digital tools.
Photo: Getty Images