How to prevent corporate credentials ending up on the dark web

A little over $3,000 — that’s how much stolen corporate network credentials tend to go for on the dark web. Although the exact asking price for an individual’s credentials may depend on several factors, like how much revenue their enterprise makes, particularly valuable organizations may even see their login details auctioned off for as much as $120,000. While a successful ransomware attack is capable of fetching cybercriminals almost 10 times as much in ransom, even expensive credentials can be money well spent.

Unfortunately for enterprises, the consequences of corporate credential exposure on the dark web are not just limited to direct financial loss. Ease of access to company login details may also lead to (among other things) a damaged company reputation, loss of intellectual property, and increased insurance premiums.

With a rising incidence rate of advanced persistent threats that can move laterally within infected networks, a single employee’s credentials can be enough for a threat actor to wreak havoc across an entire organization.

The number of exposed corporate credentials continues to rise

Last year saw a 429% increase in the number of corporate login details with plaintext passwords exposed on the dark web. This dramatically increased rate of exposure means that an average organization is now likely to have 17 sets of login details available on the dark web for malicious actors to exploit.

It’s not just small and medium-sized enterprises with poor cybersecurity that are seeing their credentials shared on hacker forums. This year, SpyCloud found almost 26 million Fortune 1000 business accounts and 543 million employee credentials circulating on the dark web, a 29% increase from 2020.

Even companies that are supposed to be on the front line of cyber defense are overexposed to this threat vector. A staggering 97% of cybersecurity companies have had their data leaked on the dark web.

6 ways to keep corporate credentials safe

Luckily, organizations are not totally helpless when it comes to its passwords being put up for sale on the dark web. Below are six steps every business can and should take to ensure their corporate credentials remain secure.

1. Use unique passwords for all accounts and systems

The first step in keeping any organization safe is communicating to employees the importance of using different passwords for different accounts and systems.

Cybersecurity professionals have been warning companies about the necessity of strong, unique passwords for decades. Yet, despite plenty of warnings, password reuse remains common practice. The average employee is likely to reuse the same password about 13 times. Even worse, 29% of stolen passwords are weak. For example, the SpyCloud Breach Exposure Report discovered that Fortune 1000 employees were no strangers to using passwords like 123456789, (companyname), and Password.

At the very least, organizations should ban the use of these “bad passwords”. Look at NordPass’s list of “Top 200 most common passwords of the year 2020” to get a better idea of which passwords should be on your organization’s banned password list.

However, seeing how workers manage too many passwords to make each a unique one and still remember them all, expecting employees to do so is not exactly realistic. One way you can encourage workers to create unique passwords is to give them access to a password manager. By allowing employees to use a password manager for personal use as well, you will significantly reduce the likelihood that they’ll reuse the same password across different applications. This approach is made even more crucial as 73% of employees duplicate their passwords in personal and work accounts. It’s all too easy for a hacker to gain access to an employee’s Netflix account one day and breach their employer’s corporate network the next.

2. Replace all passwords regularly

Even if your employees do everything right when it comes to passwords, your organization’s corporate credentials could still appear on the dark web. According to a survey by the Ponemon Institute, 53% of companies experienced at least one data breach as a result of compromised third-parties in the last two years.

Changing passwords regularly (every few months or so) can help ensure that even if your organization’s corporate credentials appear on the dark web, they will no longer be “fresh” and, therefore, less useful to cybercriminals.

3. Enable multi-factor authentication

According to Microsoft, most account takeover attacks can be blocked with multi-factor authentication (MFA).

MFA adds an extra layer of protection, making it much more difficult for cybercriminals to log in as someone else. Unless a malicious actor manages to access an employee’s phone, email, or USB in addition to gaining access to their password, they won’t be able to log into their corporate accounts or systems.

However, keep in mind that MFA, especially SMS MFA, is not foolproof. Hackers have tools to spoof, intercept, and phish SMS.

4. Provide safety awareness training to employees

Employees are the weakest link in any organization’s security posture. A Tessian report found that 43% of US and UK employees have made mistakes that resulted in cybersecurity repercussions for their organizations. Phishing scams, including emails that try to trick employees into sharing corporate login details, are particularly common.

Educating employees on cyber threats and how to spot them is crucial to mitigating attacks. However, for training to be effective, it needs to consist of more than just repetitive lectures. In the report mentioned above, 43% of respondents said a legitimate-looking email was the reason they fell for a phishing scam, while 41% of employees said they were fooled because the email looked like it came from higher up. Live-fire security drills can help employees familiarize themselves with real-world phishing attacks and other password hacks.

Safety awareness training should also teach workers the importance of good practices like using a virtual private network (VPN) when working from home and making social media accounts private. Discouraging oversharing online is equally as important. More often than not, hackers can get all the information they need to craft a convincing phishing email by scrolling through someone’s social media.

5. Monitor the dark web

If you suspect that your organization’s corporate credentials have been exposed on the dark web, you can run a dark web scan. There are many tools that enable you to do so, many of which are free. For example, WatchGuard lets you check if your company’s assets are in danger at no cost.

That said, you shouldn’t search the dark web just once. Data breaches happen all the time, so you need to monitor the dark web continuously. To save time, consider investing in dark web monitoring software.

Dark web monitoring tools scan the dark web on your behalf, notifying you as soon as they come across any compromised credentials for sale that belong to your company. Dark web alerts should give you enough time to act before threat actors use your organization’s login details for malicious purposes.

6. The holy grail — go passwordless

With 80% of hacking-related breaches caused by compromised credentials, it makes no sense to rely on passwords. Instead, many businesses are turning to passwordless authentication. In a recent LastPass survey, 92% of organizations said that passwordless authentication is the future.

What makes passwordless authentication more secure is that users don’t have to enter a password or any other memorized secret to log in to an application or IT system. Instead, users can prove their identity based on either a “possession factor” (such as a hardware token or a one-time password generator) or an “inherent factor” (like a fingerprint).

Not only can going passwordless strengthen an organization’s security, but it can also improve the user experience. In its “Passwordless Future Report,” Okta discovered that almost 50% of users feel annoyed by passwords. In addition, about one in five employees experience delays in their work due to forgotten passwords, and more than one in three employees are frequently locked out of their accounts completely. Unsurprisingly, 64% of cybersecurity professionals say user experience is the reason their organization is eliminating passwords.

Other benefits of going passwordless include a lower total cost of ownership (reducing support ticket numbers) and better visibility over identity and access management.