A lot of bad things happen on the darknet. We all know that. From the illegal trading of drugs, stolen card details and personally identifiable data, to child porn, terrorism and much more – this vast, un-indexed chunk of the internet hides all varieties of sins. But security and risk managers would do well to look beyond sensational headlines and remember that most of these also appear on the open web.
Particularly when it comes to addressing supply chain and personnel risk, there is much they can do to reduce the insider threat – but the focus must be on both the open and dark web.
An inside problem
It has never been so important for organisations to manage the risks that can come from insiders, whether malicious or otherwise. A data breach or other security or reputational incident could seriously affect brand and shareholder value, customer loyalty, and even lead to significant regulatory fines, remediation and clean-up costs, and legal fees. Practically doing so is tricky, but one thing is certain: your supply chain and extended network of partner companies represent a major area of risk that must be managed.
The recently released PwC Information Security Breaches Survey for the UK reported an eight percent increase in respondents claiming that a security incident had occurred because of “weaknesses in vetting people”, up to 17 percent from just nine percent the previous year. It also found that third-party suppliers accounted for 18 percent of breaches, and that malicious internal employees – including, crucially, contractors – were responsible for 10 percent of breaches.
It is clear that vetting contractors and supply chain staff will not solve all of your security problems, but it will help reduce the risk of an incident. This is already recognised in highly regulated industries like energy, government, and critical national infrastructure – but it is best practice in every sector.
A typical easy win is to comb the web for any current or prospective contracted or supply chain employees who have expressed extreme political or religious views or could be accused of hate speech or online bullying. This kind of risk should be locked down early on and the technology and expertise is available to help you do this.
The right balance
An approach whereby human resources staff search out Facebook profiles or spend time Googling a shortlist of keywords is discredited. The critical challenge is that there's so much information available that managing supply chain risk is virtually an impossible task to undertake in-house. But not all providers are created equal.
You need a specialist provider that can sweep dark web sites and trawl and triage the indexed web for mentions of your organisation and references to your organisation – be these directly by name, or often by inference.
This isn't a process which can be done overnight. Any technology company claiming to be able to come in and switch on their service within hours will not be able to offer the kind of deep intelligence gathering service necessary to do this job effectively.
A comprehensive process involves sitting down with the vendor to undertake a full threat assessment and discuss ideal outcomes, with a view to fitting a capability to your organisation and specific risk profile.
To help with this, it pays to assess how much capability already exists in house. Do you have data analysts who can extract the all-important intelligence from the data, or do you need your provider to take care of this and produce easy-to-digest reports? These are all things to bear in mind. And the best vendors will be able to tailor their services to exact needs, so you're not paying over the odds for functionality you don't need, or getting an unusable service.
It is also important to remember that screening your supply chain in this way is only going to be effective if it is done continuously over the long term and in combination with more traditional risk management strategies to protect against reputational damage and data loss. This includes things like data loss prevention, tight access controls along the principle of “least privilege” and file monitoring.
But above all, don't forget that the dark net is not your only cause for concern. Potentially dangerous employees in your supply chain don't necessarily hide their views beneath the many layers of The Onion Router – they're often being very vocal on the open internet, on social media or on open and closed forums. And, used in the right way, specialised services are available for you to find them and head off that risk before it hurts your organisation.Contributed by Tim Ramsey, Operations Director, Centient.