Finally, GDPR is nearly upon us. Over the past year or so you’ve probably spent a lot of time getting your internal security and procedures in place ready for the changes in data protection regulations, but have you remembered to include monitoring for your data appearing outside the firewall?
GDPR throws particular focus on protecting data – it’s not about securing your network. Particularly when much of your data already sits outside of your controlled network on third party servers and devices – think of all your clients and suppliers that have got your data. We have seen many instances over the past year of “open buckets” exposing corporate and business data. Furthermore, as much of the worldwide web operates in underground criminal marketplaces within the dark web, a data breach can be difficult to detect.
As specialists in dark web monitoring, we see thousands of dark web transactions in stolen corporate data every day. We’re seeing a trend in the types of data criminals are buying and selling – and even giving away- , and the sooner you know about them, the sooner you can put plans in place to counter the problem. Here are the top five areas we think you should be focusing on:
1. Employee personally identifiable information (PII)
Every company keeps data on their employees, usually within HR systems, and this data often gets widely shared — the company pension advisers, corporate travel agencies, employee benefit providers like the local gym — you’ll be surprised how many third-party organisations your data is shared with. These systems house lots of sensitive information on your employees like National Insurance number, passport and driving licence numbers, date of birth, banking information and home addresses. This kind of data is gold dust for cybercriminals, who will either use it for fraud and identity theft themselves, or sell it on the dark web for others to commit fraud.
Top tip: Make a list and document every organisation that holds data about your staff and ask them about their data security policies. And don’t forget all your previous suppliers — the ones you don’t use any more. Contact them to find out what data they still have on file for your organisation, and if it’s not being used, then ask them to delete it.
2. Customer personally identifiable information (PII)
CRM databases are great for storing the information you have on your customers, but what happens when someone (a member of staff) exports the data and shares as a CSV file with partners or suppliers? Once that data has left the building, you have no control over where it might end up. And if the supplier or partner you’ve shared it with doesn’t have good cybersecurity in place, that data could end up being circulated online. Under GPDR, you’re equally liable even though the breach happened at one of your suppliers.
Top tip: Create a fictitious email account (Gmail is fine) and add the address into your CRM system. If that address ever shows up on a dump site, or if it suddenly starts receiving spam — or emails from a competitor — then someone has lost or accessed that data.
3. Corporate login credentials
When logging into a site with your work email address, how many different passwords do you use? Although it may sound obvious, it’s important to ensure that your employees don’t use the same password for multiple sites, because if one of those third-party sites get breached, the bad guys can get access to other accounts — or even your corporate network. So, when signing up for a newsletter or a corporate event using your work email address, make sure you use a different password on every site because that site could easily be storing the password insecurely, or have critical vulnerabilities that allow a script to get in and grab your data. And even if cybercriminals aren’t able to retrieve your password, a compromised email address means you’re at increased risk from phishing emails.
Top tip: Provide your staff with a password manager and integrate it into your security policy, with rights to use it at home as well as work. This will minimise the chance that one breached password will expose multiple accounts — or even the corporate network. At RepKnight we use Dashlane, but there are plenty of others.
4. Trade secrets and confidential company data
With all the talk about GDPR, it’s easy to forget the “data about things”, which isn’t covered by the legislation but is equally valuable. If cybercriminals can gain access to your corporate network, this opens up a world of opportunities for the bad guys. Everything from Sales Team presentations to marketing and business plans will be accessible, which can put your company in an extremely vulnerable situation. On average, European companies take more than 450 days to spot a breach, which is plenty of time for cybercriminals to snoop around networks, files and folders and discover something sensitive and lucrative — exfiltrate it and then leave before anyone finds out.
Top tip: Think about the keywords you’d use to identify your confidential information. Perhaps it’s as simple as the company name and the word “confidential”? You can then set up a Google Alert to let you know if those terms get posted online (on the sites searched by Google, in any case – which doesn’t include the Dark Web!).
5. Server IP addresses
Is your critical infrastructure being targeted by cybercriminals, or have ‘script kiddies’ discovered a backdoor or vulnerability — maybe on that long-forgotten development server that’s been left switched on, or that development version of your website? If that IP address is being discussed on a dark web forum — or port scan results are being shared on a dump site — you’ll probably want to take a look, and hopefully prevent a breach before it happens.
Top tip: Run an internal and external scan to discover all the external facing IP addresses used by your infrastructure — you’ll probably be surprised how many there are. And if there are any that aren’t needed any more, why not take this opportunity to shut them down, and close a potential point of entry for an attacker?
What you can do to protect all this data
Your IT teams could always monitor for data manually – but that’s pretty boring, and your people have much better things to do. Keep watching BBC News 24 or CNN all day, every day, and see if your company crops up after a breach. You could also download specialist browsers to access the dark web and trawl through each of the major marketplaces every day to make sure nobody’s selling your data.
Or you could rely on dark web monitoring technology that continuously scours every corner of the internet looking for your stuff, and alerts you the moment someone posts your data in a suspicious place. Our BreachAlert dark web monitoring software automatically monitors millions of dark web pages, including hundreds of dump sites and then filters and extracts information based on things like domain names, login credentials, email addresses and so much more.
Best of all, there’s nothing to install, and you can set it up in around 30 minutes – so there’s plenty of time to protect all that information in the last few days leading up to GDPR.