The current situation in Germany is bleak and cannot be glossed over. According to a recent study by Botiguard, 60 percent of all companies are affected by data leaks on the dark web. The numbers are much higher than previously assumed. What does this mean for companies? Data leaks are one of the top reasons for successful cyber attacks and ransomware attacks. Affected companies have a 7x higher risk of being attacked by ransomware Trojans and hackers. As hacker attacks increase, a further increase can be expected in the future. Hacked companies already have particularly high hit rates, as do listed companies and the energy sector. State institutions belong to the high-risk group. Due to the global network with partner companies, data from one’s own company can also leak, although one’s own security is in good order. The state and companies urgently need to do something.
Ariane Lindemann talks to CyberLab alumni Salko Korac from Botiguard about the results of the study and how to protect yourself.
Your study reveals a rather bleak picture of the situation in Germany: 5.15 million sensitive data records from companies were found on the Darknet. This number is a frightening signal. How does this data get into the dark web?
There are many reasons. It can be assumed that the majority of data leaks are caused by the private use of business e-mail addresses and passwords, for example when employees visit accounts on shopping sites, dating portals or other websites or use apps. However, the networking of companies with international partner companies, which in many cases do not meet the necessary security standards, also promotes data leaks. Over time, more than 300,000 passwords end up on the dark web for some companies.
However, most of the passwords are likely to be out of date…
That’s correct. But if only 1 percent of the passwords still work, that’s still 3,000 possible gateways for industrial espionage or ransom blackmail.
What happens to this data?
Cyber criminals trade company data on the dark web. They use this data, such as names, passwords, e-mail addresses or purchasing behavior, to carry out various types of attacks. They hack into accounts or bank accounts, send phishing emails or spam and extort ransom money. The dark web is a real shopping paradise for cyber criminals. There’s nothing here that doesn’t exist: drugs, lost credit cards, hacked shopping accounts, counterfeit money and much more.
Many companies are not even aware that their data is continuously being collected and ends up on the dark web. But it affects all of us without exception – companies, organizations and private individuals…
Absolutely. For example, when we hear that companies have been hacked, we don’t think we could be affected. Since companies usually have a dense digital network, other companies – even if their own security is good – can also be badly affected. To say: “Fortunately it didn’t hit me” is therefore too short-sighted.
What new insights does the study provide?
The study showed that the actual numbers are much higher than assumed. So far we have assumed that a hit rate of 40 percent is a very high value. However, this figure has turned out to be the lower end.
Which are the sectors with the highest hit rates?
Companies that have already been hacked are in first place with 100 percent. It is safe to assume that company data will be available on the dark web after a hacker attack. Listed companies are in second place with 97 percent, followed by the energy sector in third place (71 percent).
How do you explain that? Since this area is strictly regulated by the BSI KRITIS specifications?
Here – as in all other sectors – industry representatives have to seek detailed answers. The aim of our study was not to find the reasons for the data leaks, but to create a picture of the situation and determine a ranking. As soon as we get into the details, we are not allowed to analyze further, because then we would need access to the data and that would get us into legal difficulties. It is the task of the industry representatives to take further steps here if necessary.
Why are listed companies so badly affected?
These companies have been in the market for a very long time and have many employees. Nevertheless, they do not belong to the high-risk group because they usually have their own IT experts and IT security teams. Here, the Darknet risk is usually already known and taken into account.
Also state institutions. City administrations, culture & leisure, educational institutions, trade, travel agencies and the financial sector are badly affected. How do you explain that?
State and administration have to operate a large number of websites and e-mail systems for offices, cities and communities. Numerous partner companies are often involved in the culture and leisure sector. At universities, for example, the students are often the drivers who register on different websites. In retail, digital interaction with third-party providers is necessary, which encourages data leaks. In the case of travel agencies, it is the international networking with partner companies that often do not meet the required security standards. In the financial sector, e-mail addresses are also used privately. However, this industry has a high level of IT security expertise, which minimizes the dangers of cyber attacks. As I said, in order to come to a definite result here, the industry representatives are in demand.
If you consider that in many cases companies and organizations operate other websites, the number of unreported cases is likely to be much higher…
That’s right. For our study, we conservatively only ever used the primary website as a basis. As a result, these results are likely to be even more blatant.
Which sectors are doing well?
One example is the food industry. The food industry is a well-established, static industry that leaves few digital traces. This makes her much less endangered. The health sector also had one of the lowest hit rates on the Darknet at 42 percent.
What can companies do? Or better: what do you have to do?
Must is correct. Because if you do nothing here, you are acting negligently – for your own company and for others.
So what are your top tips?
Point one: Make cyber security a purchasing criterion for software and services. This means securing yourself with contractual agreements and only choosing providers who offer this. Then you have already achieved a lot.
But many contracts already exist. What are you proposing here?
Put contracts to the test and put them out to tender again. This is painful, but there is no other way because the providers are trying to drive up the costs.
Top tip two?
Prevent private use of IT and e-mails in companies. Dating, football, shopping sites – all of these are risk factors. If the sites visited are hacked, company emails and passwords end up on the dark web.
What else can you do?
Conduct a regular dark web audit to see what data has been leaked. Preferably from an external service provider to minimize legal risks. It is also essential to have regular IT security checks carried out by specialist staff.
What must the state do?
The BSI, the Federal Office for Information Security, can use our study results to make a new decision on the need for data leak analyzes in the IT baseline protection standard.
How can I protect myself as a consumer?
It is very important: always (!) use different passwords. If a password ends up on the dark web, cybercriminals have access to all accounts with this password.
Most providers also offer two-factor authentication. Always activate this. With these two measures you are already 99 percent safe.
The study report can be requested at www.botiguard.net/de.
Botiguard regularly conducts studies on the security situation in Germany and the EU. The company specializes in ransomware attacks, among other things. The results from these studies help to improve cyber security in Germany.
26,122 companies from 80 sectors and categories were checked. These include services, health, government institutions, culture & leisure, trade, media, educational institutions and energy. It is probably the largest study of its kind in Germany.
As CyberForum, we are very aware of the relevance of the topic. In our high-tech.entrepreneur.network, we have many member companies that are active in this field. The Karlsruhe IT security initiative (KA-IT-Si) is also one of our special interest groups. We also raise awareness and provide information on the subject of cyber security at regular events.
Pay a fat ransom or rather play it safe?https://www.techtag.de/startups/fettes-loesegeld-zahlen-oder-lieber-auf-nummer-sicher-gehen/