The dark web is a rich resource for internet scoundrels peddling stolen information, but have you been curious how much of your employee’s data is exposed or how to search the dark web to begin with? You may believe having your employee’s sensitive data exposed is a rare occurrence, but the research we conducted July 10th, shows nearly 4 in 10 of your employees might already be compromised.
Nearly 4 in 10 enterprise employees are exposed.
I led a full analysis and dark web dig on five enterprise companies to determine just how much of their data and sensitive employee information was sitting on the dark web. Of these five, we discovered over 500 breaches. Per company. In all five examples, hundreds of employee’s private information was exposed on the dark web and their IT teams had zero knowledge. (We aren’t going to release their names.)
All respective IT leaders were unaware their employee information was exposed and were especially surprised when we gave them access to the data and they were able to verify the accuracy—it’s one thing to claim you found an executive’s password, but the real terror sets in when you’re able to read it to them.
In our report we discovered, passwords, email addresses, names, and even personal websites they had visited that led to their data being exposed—some were a bit embarrassing if you catch my drift. In data accumulated from all five companies, on average between 30-35% of each company’s staff had been compromised.
One of the major issues we discovered in our research is employee’s habit of using corporate email addresses to access websites they don’t want their own personal email accounts linked to. Websites like Ashley Madison for example (not linked on purpose), but also gaming sites, house buying sites, fitness apps, and even reputable sites like LinkedIn to name a few.
Nearly 4 in 10 of enterprise employees could be exposing not only themselves to intrusion, but your entire company. Some of the data was so sensitive and alarming, one of the five companies we presented this data to has already turned over their report to the FBI, opening an investigation.
How To Search the Dark Web
As a security lead, I’m often asked to how to search the dark web. I have often helped contacts and clients determine if their information was compromised, but this process takes a lot of time and manual browsing. At times I’ve even asked colleagues and fellow security experts that know their way around the dark web to help in my search. Yes. We manually search in suspect locations.
Sites are hidden on the dark web by design. You have to know where to go. Truly being able to find everything was a pipe dream until recently. A new tool we’ve been quietly testing makes this process faster and much more accurate. But data alone isn’t good enough, that’s why companies need to take action.
How We Conducted Our Research
We are currently putting together a 5 step process that goes far beyond existing web tools like “have I been pwned” and “KnowB4’s.”
- Step 1: Run the self-vetting report. (This is free)
- Step 2: Rank all employees with a threat/risk score (like credit score).
- Step 3: Gamify the solution, communicating to employees what they can do to improve their score.
- Step 4: Implement a phishing notification button within Outlook, giving users and instant “phishing check” tool.
- Step 5: Implement integrated cybersecurity training within Outlook, so employees don’t have to log into another site. Simplicity is key!
Most data on the dark web, around 30-50%, is fluff and not accurate, which is why handing over a self-vetting report is important. But I feel the most exciting part is the phishing tool.
Your e-mail users can click on a button in Outlook, to verify a potential phishing email’s legitimacy, instantly getting detailed analysis. The explanation educates your users each time they check an e-mail. If it’s deemed a phishing e-mail, it gets routed to your security team, so they can blacklist it.
Of the five original test companies, they all agreed the process and technology “beats Troy Hunts Haveibenpownd or Insight by a longshot”. Keeping your information secure goes beyond learning how to search the dark web, but in education about how information finds its way there in the first place.
If you want us to pull a report on your company to see what the dark web has on you, contact us we will run it at no cost.
Kristopher Taylor is VP of Cyber Security at 3 Tree Tech in Portland. He is a platform-agnostic tech researcher that transitions siloed organizations into automated DevOps centric businesses. To get his help, message him right here.
IT Stuff To Your Face!
For more smarty-pants research, insights, and invites to our CIO/CTO virtual wine tastings, lunches, and scotch sessions, sign up!