Why charities need to manage the risks of the Dark Web

On the Dark Web you will find:

- Vast ’dumps’ of leaked data such as credit card data being distributed and sold

- Stolen password credentials for hacking into accounts

- A recent rise in stolen healthcare data containing very sensitive information on patients, with multiple serious implications for healthcare organisations

- Stolen or counterfeit goods such as medicines and even unauthorised COVID-19 testing kits that are not only financially damaging to healthcare organisations but are extremely dangerous

- Forged documents such as identity cards and membership cards, for things like the Red Cross first aid courses, that end up damaging the credibility of real organisations and costing them financially

- Traded ’reconaissance’ reports with information detailing exactly how a specific organisation can be hacked, its servers and its security weaknesses

Ultimately, if your organisation is being discussed on the Dark Web as a possible target, or if data on your donors or beneficiaries is being traded, or your goods being counterfeited, you will need to know about it fast. It could already be happening and the damage being done.

What can charities do?

John Evans, Intelligence Analyst at cyber threat monitoring firm Skurio says: "Let’s be realistic. You may have excellent network security, strict control of your staff, and have done all the right stuff, but can you say the same thing for your beneficiaries, service users and donors? Do they all behave responsibly with password management? Probably not as a whole."

"It’s understandable that suggestions aren’t enforced around passwords. If someone wants to go to your website make donation and can’t log in because of a hard-to-remember password, it will frustrate them and stop them donating. But if a customer uses an old password they’ve used elsewhere, it won’t take a genius to figure out what that password might be. Most users will have already been included in one or more breaches in their lifetime. So it’s in a charity’s best interests to encourage their users and donors to set as secure a password as possible, and require a second means of authorisation."

Monitoring is also a must. Using an automated system to search for your organisation’s domains and IP addresses on the Dark Web can easily detect a breach concerning your assets, and find exactly where data is being sold and discussed.

"Monitoring the Dark Web is difficult but not impossible," says Evans. "You just need a safe environment to access it and an automated solution or experienced third party. You should never try to access the Dark Web yourself as the risks from encountering dangerous material or malware are too great, and you gain much better insight from having experts on hand. Skurio, for example, liase with the National Crime Agency and law enforcement."

"The days of cyber criminals being unstoppable are over, and with a bit of detective work, Dark Web criminals can be traced and caught. The more we as leaders and cyber security professionals do to combat the Dark Web, the better protected well be both at work and in our personal lives."