Cyber Security

The dark web is often known for the illegal activities conducted there, and while not everything on the dark web is illegal, it’s most appealing factor is its anonymity. The dark web is often a place where stolen data and personal information is bought and sold following a data breach or hacking incident. An article on Experian takes a look at what your personal information is worth on the dark web and how you can help protect yourself from being exposed.

How much is your information worth to an identity thief on the dark web?

 Social Security number: $1

Credit or debit card (credit cards are more popular): $5-$110

With CVV number: $5

With bank info: $15

Fullz info: $30

Note: Fullz info is a bundle of information that includes a “full” package for fraudsters: name, SSN, birth date, account numbers and other data that make them desirable since they can often do a lot of immediate damage.

Online payment services login info (e.g. Paypal): $20-$200

Loyalty accounts: $20

Subscription services: $1-$10

Diplomas: $100-$400

Driver’s license: $20

Passports (US): $1000-$2000

Medical records: $1-$1000*

*Depends on how complete they are as well as if it’s a single record or an entire database

General non-Financial Institution logins: $1

Note: Prices can vary over time and prices listed below are an estimation and aggregation based on reference articles and hands on experience of Experian cyber analyst the last two years.

How are criminals purchasing this information on the dark web?

 Information can be bought and sold a variety of ways on the dark web, however the most common include:

1. Purchasing data as a single item, such as a Social Security number.
2. Purchasing bulk data, such as batches of the same information.
3. Purchasing bundled data containing various types of information bundled together.

The cost of personal information on the dark web fluctuates, but what is responsible for the change?

The four main factors driving the cost of personal information on the dark web include:

1. The type of data and the demand for it. The cost often depends on the type of data and the need or ability to use that data.
2. The supply of the data. If there is less data available for a cybercriminal to purchase, the value of that data increases.
3. The balance of the accounts. The higher the balance in the stolen account, the higher the cost of the data. The balance could be the amount of money in a particular account as well as points value (i.e., a loyalty account).
4. Limits or the ability to reuse the data. If the data being purchase can only be used once, the value of that data is worth less to a cybercriminal than data that can be reused multiple times or across various platforms.

How can you protect yourself?

Data breaches are becoming increasingly common and are often outside of your control. It is important to help minimize your risk of a hacker gaining access to your accounts by utilizing healthy password practices and by keeping your personal information private unless it is absolutely necessary to share.  Keeping antivirus software and all other software up to date will also play a crucial role in protecting your information, as these updates could contain security patches to fix potential vulnerabilities that could expose your information.

It is also recommended to run a dark web scan on your email address, utilize a dark web monitoring tool and monitor your credit report for potential red flags that your identity may have been compromised.

Human-error; we talk about it all the time, but what exactly do we mean? Human-error occurs when an individual performs a task or does something with an unintended outcome. It’s easy to point the finger at employee’s as being an organization’s weakest link, but without appropriate security awareness training provided by the employer, how can employees truly know what to watch out for?

An IBM study found that human-error accounts for 95% of security incidents, yet security awareness training for employees often ends up on the back burner.

In a recent survey by ESET, we learned that cybersecurity training is not a top priority for many organizations, with 33.3% of employees feeling that their employer has provided them with absolutely none. Only 17.9% of survey respondents felt their employers were providing them with “A lot” of cybersecurity training.

With the need for security training clear, even the most surprising organizations are jumping on the bandwagon, offering security awareness training as part of their services.

Since security incidents are often a result of employee mistakes, it is evident that technology alone is not enough to protect an organization. While antivirus (AV) companies may have previously found success in offering their virus protection services alone, the realization that employees are an organization’s weakest link has led many AV vendors to one conclusion: to be successful and provide services that can truly defend against cybercrime, providing education through security awareness training is key.

Educating employees on security awareness is crucial to organizations, especially those with sensitive data, so why is the AV industry just recently making a push to offer this service? Cybercriminals are relentless in their efforts to carry out their attacks, and while AV companies have historically been embarrassed to admit their products are not the catch-all for fighting cybercrime, they have since recognized that these criminals are becoming more sophisticated in their attempts. In the digital era, criminals have become masterminds at forming social engineering attacks to trick their victims, a scheme that no antivirus can protect against.

In addition, a fierce competition and the desire to generate more revenue could be contributing factors. With free AV software that provides enough coverage for organizations to feel protected, they may look to use those funds in other areas to defend themselves.

AV does play a crucial role in defending an organization, but it’s important to remember that a layered security strategy is necessary for adequate protection.  We must not forget that without appropriate training provided by organizations, employees cannot effectively act as that first layer of defense.

Security awareness training will certainly help employees learn how to spot malicious attempts by cybercriminals, but it is also required to comply with federal and in some cases state regulations. A lack of training will open the door for cybercriminals and may result in a breach, causing potentially significant fines and penalties as well as likely damage to an organization’s reputation.

The time is now to jump on the security awareness training bandwagon! After all, employees can’t help defend against cybercrime if they aren’t provided with the necessary tools to do so.

Breaches are becoming increasingly common as cybercriminals continue to advance their skills and tactics to trick their victims into falling for their scams. While cybercriminals are remaining diligent in their efforts to carry out their attacks, small business owners continue to underspend on cybersecurity. An article on Entrepreneur looks at 5 things your employees are doing that put your business at risk.

The 2016 State of SMB Cybersecurity Report revealed that half (14 million) of the 28 million small businesses in the U.S. had been hacked by cybercriminals, but why? According to a CNBC survey of 2,000 small-business owners, small businesses are not spending enough on cybersecurity.

With human-error being the most common reason for a cyber intrusion, employee security training is crucial to ensuring employees know how to spot a hacking attempt.

Since it is possible to reduce your odds of getting hacked through employee security training, it’s important to understand what employees are doing that will get you hacked. Below are the top 5 most common mistakes:

What are employees doing that will get you hacked?

Being lazy

Employees often feel that it’s not their job to worry about security, or that IT is responsible for “that kind of stuff”. Small businesses often lack IT resources, especially equipped to handle cybersecurity threats like ransomware. Employees should be aware that they are a target for cybercriminals and that it’s their job to help stop them from carrying out a successful attack.

Unprotected email

Email hacking is one of the fastest growing cybercrimes, with millions and possibly billions of stolen emails for sale on the dark web. Employees often have 2-step verification turned off in their email app, allowing hackers easy access to those email accounts if they have the stolen credentials. Once a hacker is in that email account they have free range to access any data that may be stored in the account, such a personally identifiable information (PII), credit card data and additional log-in credentials. 2-step verification is simple to enable in most popular email platforms. After 2-step verification is enabled, a code will be texted to the employees’ phone making it so that a cybercriminal would have no way to access that email account.

Clicking on fake emails

According to the cybersecurity company PhishMe, 91% of cyberattacks begin with a spear phishing email. In these phishing emails, hackers design the email to look authenticate so the employee thinks it is coming from the real source it’s claiming to be. These phishing emails may appear to come from credible company’s customer support departments, such as Microsoft or Google or could even appear to come from you (their boss). In many cases, once an employee falls for a phishing scam, their computers/mobile devices become infected with ransomware.

Lousy passwords

SplashData reported that the most common password in use today is 123456. Not only is this a very weak password to begin with, but people are often reusing their easy to crack password across multiple sites and accounts, as well as sharing them with co-workers. Other common employee mistakes when it comes to passwords include physical protections, such as writing them on a sticky note and leaving that on their computer or under their keyboard. Employees may also be typing their password without paying attention to wandering eyes that may be watching them.

No backup

There’s a good possibility that at least one employee in your company isn’t backing up the data he or she is supposed to be, which is a major problem. Not only is there a risk of files being lost due to technical issues, there is also danger in losing those files to a cybercriminal. During a ransomware attack, a cybercriminal locks the user out of their account and denies them access to their files unless a ransom is paid. Even after the ransom is paid, there is no guarantee that the files will be returned to the user, making backup files crucial.

Although these employee mistakes can lead to major issues for your business, it’s not too late to protect yourself and your organization! Training your employees on security is vital and a great way to ensure they know what to lookout for to help prevent a hacker from carrying out a successful attack on your business. In addition to security awareness training, it is beneficial to share these 5 common mistakes with your employees to bring them to their attention and help them understand the risks they may be presenting.

Identity theft is an unfortunate occurrence that is all too familiar with most business owners, but do those individuals know where the compromised data will end up? Often, these business owners are unaware of the virtual marketplace where stolen data is purchased and sold by cybercriminals; a place known as the “Dark Web”.  An article on Lexology explores what the Dark Web is, what information is available for purchase there and how it impacts small businesses.

What is the Dark Web?

The Dark Web, which is not accessible through traditional search engines is often associated with a place used for illegal criminal activity. While cybercriminals tend to use the Dark Web as a place to buy and sell stolen information, there are also sites within it that do not engage in criminal activity. For many, the most appealing aspect of the Dark Web is its anonymity.

What is for sale on the Dark Web?

Information sold on the Dark Web varies, and includes items such as stolen credit cards, stolen account information from financial institutions, forged real-estate documents, stolen credentials and compromised medical records. Even more alarming, the Dark Web contains subcategories allowing a criminal to search for a specific brand of credit card as well a specific location associated with that card. Not only can these criminals find individual stolen items on the Dark Web, but in some cases, entire “wallets” of compromised information are available for purchase, containing items such as a driver’s license, social security number, birth certificate and credit card information.

What is stolen personal information used for?

When stolen information is obtained by criminals, it can be used for countless activities like securing credit, mortgages, loans and tax refunds. It is also possible that a criminal could create a “synthetic identity” using stolen information and combining it with fictitious information, thus creating a new, difficult to discover identity.

Why are stolen credentials so valuable? 

Stolen user names and passwords are becoming increasing popular among cybercriminals, but why? Identity thieves will often hire “account checkers” who take stolen credentials and attempt to break into various accounts across the web using those user names and passwords. The idea here is that many individuals have poor password practices and are using the same user name and password across various accounts, including business account such as banking and eCommerce. If the “account checker” is successful, the identity thief suddenly has access to multiple accounts, in some cases allowing them the opportunity to open additional accounts across financial and business-horizons. 

Why should small businesses be concerned about the Dark Web?

Since the Dark Web is a marketplace for stolen data, most personal information stolen from small businesses will end up there, creating major cause for concern. With the media so often publicizing large- scale corporate data breaches, small businesses often think they are not a target for cybercriminals, however that is not the case. Cybercriminals are far less concerned about the size of a business than they are with how vulnerable their target is. Small businesses often lack resources to effectively mitigate the risks of a cyberattack, making them a prime target for identity theft as well as other cybercrime.

At a recent Federal Trade Commission (FTC) conference, privacy specialists noted that information available for purchase on the Dark Web was up to twenty times more likely to come from a company who suffered a data breach that was not reported to the media. The FTC also announced at the conference that the majority of breaches investigated by the U.S. Secret Service involved small businesses rather than large corporations.

How can you reduce the risk for your small business?

To reduce the risks of a cybercriminal gaining access to your company’s information/network, you must ensure you have proper security measures in place. The FTC has a webpage that can assist with security options for businesses of any size.  In addition, it is crucial that your employees are properly trained on security, including appropriate password practices. There is also talk of a government-led cyberthreat sharing program which would help enhance security across all industries by sharing cyberthreat data.