A recent article by Risk & Insurance highlights a research study and webinar conducted by Dr. Michael McGuire, a criminology expert and Senior Lecturer at the University of Surrey. This study focused on how hackers steal data, then sell it on the dark net and how it impacts businesses. For his study, Dr. McGuire and his team posed as individuals interested in buying various services from hackers on the dark net.
The most shocking takeaway from this study is the low cost of malware services that are used for cyber-attacks. The cost would be anywhere from $3 to $40. Instructions on how to use the malware were even included in this low price. Other tools to hack businesses like remote access trojans (RATs) and targeting services were also very inexpensive. Tools to conduct financial attacks including phishing tools, fake receipts and employee credentials were readily accessible at a low price tag.
McGuire and his team were consistently (65% of the dark web vendors) offered services targeting specific corporations while participating in the dark net. “What that told us was that this was going beyond purely criminal activity. The volume of targeting services suggests there was a real demand for spying, for espionage on other company activities presumably from other companies as well as cybercriminals,” said McGuire. These vendors mainly targeted financial and e-commerce companies but healthcare and media businesses were also at risk.
Another important takeaway to consider was the number of organizations that were threatened by their own employees. Some may have malicious intentions, but often employees were providing backdoor access to cybercriminals without even realizing it— for example by using encrypted messaging systems in the workplace. Lack of employee training and cyber understanding could be creating additional exposures for businesses. In fact, a recent Forbes survey quoted in the article indicated that 68% of IT professionals surveyed said their business was either moderately or extremely vulnerable to insider threats.
During the study, McGuire’s team had easy access to business emails containing very sensitive business information. “The content of some of these emails included things like company policy, strategy — high-level strategy — there were keywords around payments, hiring, firing, resignation of employees, projects costs and so on,” said McGuire. The availability of compromised business emails for purchase should be a reminder of the importance to be vigilant of sensitive information included in emails.
The following are some recommendations for businesses to consider to enhance their cybersecurity:
- Monitor employees’ internet usage, browsers and cell phones.
- Monitor emails for any sensitive or classified information.
- Ensure your company understands the various types of malware and remote access trojans.
- Ensure that all company applications are secure.
- Develop and document clear internet and application usage policies.
- Properly train your employees to ensure they have an understanding of cyber-related exposures.
- Consider having a cyber team explore the dark net to see what is available about your organization. This is a great way to see how vulnerable your company is, what data is available and how to enhance your cybersecurity.
Cyber-attacks continue to occur because they are inexpensive to conduct yet produce a large profit. Reach out to a trusted advisor to protect your company.