Shedding light on the dark web
Too many companies, including law firms, don't concern themselves with the murky depths of the web. That's a mistake that can prove costly, says Adam H Bloomenstein
The dark web and online criminal activity are inexorably linked, but many organisations have little or no idea about this shadowy place on the internet. Companies have been slow to grasp the impact the dark web is having on business, leaving many exposed to potential major disruptions of their operations.
Essentially the dark web is a private part of the internet that uses encryption tools to allow users to move and conduct business anonymously. Ransomware is freely available and bitcoin is the main currency of this network of hidden websites. Of course, ransomware is a major accessory to cyber fraud, which has cost UK businesses more than £1bn in the past year, according to figures released by Get Safe Online and national fraud and cyber crime reporting centre Action Fraud.
According to Hazelwoods, a leading firm of tax advisers and chartered accountants, a jump in losses to cyber fraud suffered by UK law firms between 2015 and 2016 is associated with a sharp rise in the number of attempts by fraudsters to trick lawyers into transferring funds to them by hacking email accounts of employees and clients.
Recent global cyber attacks, such as that experienced by the NHS, have involved the use of ransomware to lock users out of their computers, where the malware typically encrypts the entire hard drive. That user is then asked to pay a ransom fee '“ usually in bitcoin '“ to have their computer networks unlocked.
Business on the dark web
There are many legitimate uses for private areas and anonymous web transactions. However, these hidden parts of the web hide all manner of illegal activity. Initially, weapons and drugs drove much of this unlawful trade. More recently, company secrets, product designs, and other critical information have made it on there. It's something law firms need to be aware of '“ and have plans for mitigating the risks.
A growing trend in dark web circles, which should have many companies concerned, is the sale of intellectual property for profit. New product designs are hugely popular, especially with nefarious manufacturers looking to release the next high-tech gadget on the market before the real manufacturer's launch date.
Computer assisted design (CAD) plans are regularly shared electronically, even with third parties brought in to help with product development. This provides more opportunities for leaks of vital information, such as from a disgruntled employee, to be shared on the dark web.
Someone buying product designs will pay via bitcoin so they cannot be traced to the transaction. However, one particular type of buyer for leaked IP may be the most surprising and ironic: the company that designed it in the first place. Companies are often willing to pay the price so that they get back what they lost and prevent an even larger financial loss. This process is the basis of ransomware schemes on the dark web. Of course, the sellers don't care who buys it, only that their price is met.
Combating hostile forces
While carefully screening potential employees will help strengthen a firm's cyber security, a holistic approach should also be taken beyond the vetting process. Firms should train their employees on basic data security protocols. Employees should be taught to update their antivirus software, not use commonly predicted passwords, not log into email accounts while on public WiFi, and be cognisant of phishing email scams that may put the firm at risk of monetary loss. Such practices may significantly decrease firms' vulnerability to cyber fraud.
It's also common that businesses will outsource some work to outside suppliers. Often, they will not have taken the time to really investigate if the supplier's security protocols are up to date and enforced. Vulnerabilities at a partner organisation put your firm at risk, too.
Audits are recommended for any supplier who will be entrusted with proprietary company information. This includes looking into their hiring practices and how they screen employees to prevent IP theft.
Other measures include a review of the supplier's security plan and protocols, an audit of the company's physical security operations, fingerprinting of key employees, and full review of the vendor's cyber security risk mitigation systems. We would also recommend monitoring of dark web activities at least 90 days prior to product launch, looking for designs/specifications for purchase, and continued monitoring at least 30 days after launch to prevent a flood of counterfeits in the marketplace.
Ignorance is no defence
Too many companies either don't know about or don't concern themselves with the dark web. That's a mistake that can prove costly. Dark web criminals are often caught because they are complacent and eventually make a mistake. However, a lot of damage can be done before then, so companies really need to commit to a plan that is dedicated to this new arena of IP theft, fraud, and extortion.
Adam H Bloomenstein is the general counsel for Pinkerton, a global provider of corporate risk management services