Slightly more than $3,000-that's how much stolen corporate network credentials go for on the Dark Web. While the exact price of individual credentials may depend on several factors, such as how much revenue their business generates, we have seen login information for particularly valuable businesses auctioned off for as much as $120,000. While a successful ransomware attack can fetch cybercriminals nearly 10 times the ransom, it's still money well spent compared to valuable credentials.
Unfortunately for businesses, the consequences of exposing corporate credentials to the dark web are not limited to direct financial loss. Easy access to corporate information can also lead to damage to a company's reputation, loss of intellectual property, and increased insurance premiums.
As the incidence of advanced sustainability attacks (APTs) continues to rise, these threats can move laterally across an infected corporate intranet, and one employee's credentials can be enough for hackers to wreak havoc on an entire enterprise.
The number of exposed enterprise credentials continues to grow
Last year, the number of corporate logins with clear-text passwords exposed on the dark web increased by 429 percent. This dramatic increase in exposure means that an average business may now have 17 sets of login credentials available to hackers on the Dark Web.
It's not just small and medium-sized businesses with poor cybersecurity that are seeing their credentials shared on hacking forums. This year, SpyCloud found nearly 26 million Fortune 1000 corporate accounts and 543 million employee credentials circulating on the dark web, a 29 percent increase from 2020.
Even cybersecurity companies that are supposed to be on the front lines of cyber defense are overexposed to this threat, and a shocking 97 percent of cybersecurity companies have data leaked on the dark web.
6 Ways to Secure Your Enterprise Credentials
Fortunately, a business isn't completely helpless when it comes to its passwords being put up for sale on the dark web. Here are six steps every business can and should take to ensure their corporate credentials remain secure.
I. Use unique passwords for all accounts and systems
The first step in keeping any organization secure is to communicate to employees the importance of using different passwords for different accounts and systems.
For decades, cybersecurity experts have been warning companies about the need to use strong, unique passwords. However, despite all the warnings, password reuse is still a common practice. The average employee may reuse the same password about 13 times. Worse, 29 percent of stolen passwords are weak. For example, the SpyCloud vulnerability exposure report found that Fortune 1000 employees are no strangers to using passwords such as 123456789, (company name) and password.
At the very least, companies should ban the use of these "bad passwords". Take a look at NordPass' list of the "200 Most Common Passwords of 2020" to get a better idea of which passwords should be on your organization's list of banned passwords.
However, seeing how staff members manage too many passwords to make them unique and still remember all of them, it's unrealistic to expect employees to do so. One way to encourage employees to create unique passwords is to give them access to a password manager. By allowing employees to use the password manager for personal use, you significantly reduce the likelihood that they will reuse the same passwords across applications. This approach becomes even more important because 73% of employees duplicate their passwords in their personal and work accounts. It is easy for a hacker to access an employee's Netflix account one day and compromise their employer's corporate network the next.
Second, change all passwords regularly
Even if your employees are doing a good job with their passwords, your corporate credentials could still show up on the dark web. According to a survey by the Ponemon Institute, 53% of companies have experienced at least one data breach in the past two years as a result of a third-party compromise.
Changing your passwords regularly (every few months or so) can help ensure that even if your corporate credentials appear on the dark web, they are no longer "fresh" and therefore of little use to hackers.
Third, enable multi-factor authentication
According to Microsoft, most account takeover attacks can be stopped by multi-factor authentication (MFA).
MFA adds an extra layer of protection, making it more difficult for cybercriminals to log in with other people's identities. Unless a malicious actor manages to gain access to an employee's phone, email or USB while also obtaining a password, they will not be able to log into their corporate account or system.
However, keep in mind that MFA, especially SMS MFA, is not foolproof. Hackers have tools to spoof, intercept and phish SMS messages.
Fourth, provide security awareness training for employees
Employees are the weakest link in any organization's security posture. a report by Tessian found that 43% of U.S. and U.K. employees had made mistakes that led to their businesses being affected by cybersecurity. Phishing scams, including emails that attempt to trick employees into sharing corporate login information, are particularly common.
Educating employees about cyber threats and how to spot them is critical to mitigating attacks. However, in order for training to be effective, it needs to include more than just repetitive lectures. In the report mentioned above, 43 percent of respondents said that emails that looked legitimate were the reason they fell for the scam, while 41 percent of employees said they were scammed because the email looked like it came from a high level. Real-world security drills can help employees become familiar with real-world phishing attacks and other password hacking attacks.
Security awareness training should also educate employees about the importance of good practices, such as using virtual private networks (VPNs) when working from home and keeping social media accounts private. Discouraging oversharing online is equally important. More often than not, hackers can get all the information they need to craft a convincing phishing email by scrolling through someone's social media feeds.
V. Monitor the dark web
If you suspect that your organization's corporate credentials have been exposed to the dark web, you can run a dark web scan. There are a number of tools that allow you to do this, many of which are free. WatchGuard, for example, lets you check whether your company's assets are at risk for free.
That said, you shouldn't have to search the dark web just once. Data breaches happen all the time, so you need to constantly monitor the dark web. To save time, consider investing in dark web monitoring software.
A dark web monitoring tool scans the dark web on your behalf and notifies you as soon as it finds any leaked credentials belonging to your company for sale. Dark Web alerts should give you enough time to take action before threat actors use your business' credential information for malicious purposes.
VI. No passwords
Since 80% of hacker-related intrusions are caused by compromised credentials, it doesn't make sense to rely on passwords. Instead, many enterprises are turning to passwordless authentication. In a recent survey by LastPass, 92 percent of enterprises said that passwordless authentication is the future.
Passwordless authentication is more secure because users don't have to enter a password or any other memorized secret to log into an application or IT system. Instead, users can prove their identity based on "possession factors" (such as hardware tokens or one-time password generators) or "inherent factors" (such as fingerprints).
Passwordless not only strengthens an organization's security, but also improves the user experience. In its "The Future of Passwordless Report," Okta found that almost 50 percent of users are bored with passwords. In addition, about one in five employees delay work because they forget their passwords, and more than a third are often locked out of their accounts altogether. Not surprisingly, 64 percent of cybersecurity professionals say that user experience is the reason their organization eliminated passwords.
Other benefits of going passwordless include lower total cost of ownership (reducing the number of support tickets) and increased visibility into identity and access management.