Sites are hacked every day.
Just this week:
- Total Compromises: 13,394
- Top Personally Identifiable Information (PII) compromised: Domains (13,916)
- Clear Text Passwords (7,014)
- Top Company Size: 1-10 (4,172)
- Top Industry: Education & Research (1,232)
Your Information IS for sale on the DarkWeb. It travels quickly across the world and is viewed by thousands in a weeks’ time[1]. Once on the internet, whether on the surface internet (what we know of as the internet) or on the deep / dark web, you cannot erase it. Many evil things happen on the dark web, it’s not just about stolen credentials. Drugs are sold; people are sold; counterfeit money is sold; access to your server is sold. Your stolen PII can be used to create what looks like a “real person” or to steal your actual identity to open credit card accounts, or even get healthcare.
So, You should behave as if your information is compromised.
Many breaches are not publicly disclosed, but your information is still on the Dark Web, for sale.
It’s hard to change your email, address and phone number, so that is not the plan. Focus on being aware of breaches and strengthen your password strategy.
MUST-DO Practices
Minimize the impact of the Dark Web having your email by avoiding the use of your WORK email on websites, unless necessary.
CHANGE that compromised password where-ever it, AND ANY VARIATION of it, is being used. When you take inventory, you will be surprised at how many logins your have created with the same password. They add up quickly.
- Use LONGER passwords, like phrases or a combination of several unrelated words.
- Use a password manager, like LastPass, and get it to create long (14-16 characters), complicated passwords. You only have to remember the ONE that get’s you into the app.
Use 2 FA (2 Factor Authentication). So they have your login and password, but they don’t have your phone that gives you a 1-time use pass code to complete your login credentials. Many programs and websites have this as an OPTION, turn it on.
Other great practices:
Monitor for breaches. Some think this is controversial. If you assume your credentials are compromised and act accordingly, what will monitoring do to protect you? Our point of view is – you cannot ALWAYS be “on” AND on average, compromised credentials are not reported until 15 months after the breach occurs. Monitoring for identity theft and monitoring the Dark Web helps alert you immediately, which gives you the power to react more quickly and not wait until you remember to review ALL your vulnerabilities. A faster response to incidents is proven to lessen the impact, so why not, it is not very costly.
Business level monitoring – DarkWebID provided by Integrity IT constantly looks for your domain (ex. @integrityky.com) and sends alerts when something new is posted. Executives can also monitor their personal email address since they are often intertwined in business. The cost to your business is about $1,200/year (discount for managed services clients).
Personal level monitoring – the website “Have I been pwned”, shows you what type of data is found based on an email address. This is free. Many have received free Identity Theft monitoring from a company involved in a breach, like Equifax and Anthem. You can subscribe to this type of monitoring through Spotlight ID, IdentifyForce, LifeLock, or ID WatchDog. Prices for individual monitoring range from $120 – $300/year.
https://haveibeenpwned.com/
https://myaccount.google.com/security-checkup
Monitor your credit card and bank accounts regularly. With the great convenience of auto-pay, it’s easy to not look at accounts for months. Set appointment reminders to do so monthly.
File your taxes early before a criminal does it for you.
Review your credit history 2-3 times a year. You have one free report per year from the three agencies, use them 1 at a time and stagger your reviews.
https://www.annualcreditreport.com
After the enormous breach of Equifax[2], many people have frozen their credit, so criminals cannot try to open accounts with your stolen information.
https://www.identitytheft.gov/Info-Lost-or-Stolen
https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
If you think your identity is stolen, report it immediately. Notify your banks and credit cards.
https://www.identitytheft.gov/
Do not use PUBLIC WIFI – it’s an easy target for criminals to intercept your activity. Just wait for a secure connection or get a hot-spot for business use.
[1] The experiment conducted by security vendor BitGlass
[2] 143 million Americans data was compromised in the 2017 Equifax breach