When I first heard the term “the Dark Web,” I was instantly intrigued. My mind conjured up images of characters in shadow tones and raven-like creatures lurking behind stone buildings that for some reason can only be accessed via back alleys. My brain immediately began to assess the potential impact or liability the Dark Web could have to business. More importantly, what is the obligation of business owners and executives to manage the impact of this new reality to shareholders, employees, boards, and clientele? Especially in the business world today as leaders, executives, and those with professional designations become more accountable for the actions of employees and the impact to the bottom line. Do businesses need to be concerned with all things painted the Web shade of black?
Dark web, deep web, darknet, dark internet. The list could extend for this entire paragraph and probably more with terms, terminology, definitions, and descriptions. With the English language, we all seem to have a tendency to make up our own definitions based on personal perspective. I have long given up arguing about it. That said, for the sake of clarity, I am going to talk about what I refer to as the Dark Web and I am going to capitalize both words because it looks more ominous. A simple explanation of what is being discussed here is those websites which some people are compelled to explore that are not accessible by traditional Web browsers. The purpose of this article is not how to access these websites as there are scads of research and documentation available on that topic using any web browser as a guide.
Once you start researching information about all of the above, you will most likely become as confused by the terminology as I have been. I will share with you what I share with project teams. Don’t let terminology get the best of you. Just make sure that you are clear with yourself, your team, and your company, what it is that you are talking about. Define it. The actual label might not matter as much as having a common understanding within your group as to the definition and why there is interest and concern to the organization. What we need to concern ourselves about are employee behaviours and the impact of those behaviours.
Think about things that people like to do (a lot) and not get caught doing. Potential answers don’t even have to be addressed here. The thoughts that just went through your mind are exactly the things that you want to ensure are not impacting your business. At the low end of the scale, should your employees choose to spend time pursuing personal interests on the Web or the Dark Web, there is a cost to your organization. That cost will manifest itself via lost or unproductive time. While difficult to measure, you can be assured that this lost or unproductive time does exist. We then move to the high end of the scale. Consider corporate resources that are utilized for illegal activities. The debate is not one of the consequences. There are consequences.
The obligation of organizations is to minimize the risk. When measuring risk, there are two aspects to consider. The first is what the likelihood is of the risk occurring. The second is, if the risk is realized, what the impact will be to the organization. It then becomes a decision by those whose job it is to utilize the resources of the company as to whether the investment in prevention is of greater value than the cost if the risk were to be realized.
Keep in mind that unless your organization happens to be the RCMP, or the FBI, or even Interpol, it is not your responsibility to try to do their job. But it is everyone’s responsibility to not encourage or promote illegal activity. And it is important to protect the best interests of your organization by doing what you can to manage the opportunity and ability of employees or perhaps even clientele to conduct inappropriate or illegal activity utilizing corporate resources and/or on corporate time.
To find out what organizations can do to minimize this risk, I did what I usually do. I turned to my friends for free advice. For this purpose, I connected with my good friend Brian Zerr. Brian is the Director of IT Security for a company called SRG Security Resource Group Inc. Brian spends his days talking to people about security breaches, the impact to business, and the prevention of all of the above. I like Brian because he has a motorcycle and when we find ourselves in the same city, Brian will drink beer with me.
Brian shared with me the three tier methodology that SRG promotes. This begins with a formal approach to employee awareness, because, like definitions, what is perceived as acceptable practise will vary greatly between individuals. Allow me to digress for a moment to a point in time very early in my career. I was conducting interviews for an administrative position. As I was walking toward the reception area to retrieve the next candidate, I noticed people walking from the reception area who were giggling and whispering and looking backward. I figured I would find out soon enough what was going on. I did. The next candidate was a young lady who was attired in a leopard skin print blouse and rather snug fitting black leather slacks. I proceeded with the interview and found her to be someone who would most likely move onto the short list. I did ask her why she chose what she was wearing and her reply was simply that it was the nicest outfit that she had in her closet. Perception. Perception is why we need to be very specific about what it is we are defining and we have to be even more specific about what is and is not acceptable behaviour.
I’ve actually been disturbed by the Internet ever since the 90’s when I found out that someone on my team whom I thought was a fabulous team member was actually spending a large amount of time surfing porn at a client site. We reacted by implementing the requirement that employees sign a document that they would adhere to certain guidelines regarding the appropriate use of computing resources and electronic files. This might be the time to review your organization’s onboarding policies and procedures to ensure that not only are you capturing a signature on a document, but that the onboarding process is very clear on what the document means and what the consequences will be for non-adherence.
Brian tells me that the next layer is one of technology and I know from experience that technology is getting very sophisticated. As one who often is contracted to do research at a client site, I am quite accustomed to getting warning messages, visits to my workstation from a representative from IT, and even workstation lockouts. The good news is that the technology exists and there is quite likely a capability and cost fit for every size. I just caution you to ensure you gather the capabilities that you require before you go shopping for software. Overkill can be very expensive and difficult to maintain.
The third layer is governance, or more specifically, testing. This is definitely some place where the value of an outside organization may be of benefit. Think of this as a kind of audit. The key rule to a best practice audit is that an organization can show both documentation and implementation of policies and procedures. It isn’t enough to write it down and it isn’t enough that someone in the organization has the information in their head and can do it. It must be written down, where the proper individuals identified via the governance model within the organization can find it easily. And you need to show evidence of implementation. If the Dark Web audit police show up at your door without a moment’s notice, can you provide them with the documentation and walk them through the implementation? If not, Brian tells me that these CIOs are soon out of a job. Okay, full disclosure: I just made up the term “the Dark Web audit police.” But it is not made up that a board of directors would be quite concerned if they were advised that there were no policies or procedures in place to preempt this type of activity.
While attending an event a few years back, I had the pleasure of sitting at a table with an undercover police officer who stated simply that there are bad guys out there. And like an undercover police officer, if someone has the desire and the intent to access these sites, it is our responsibility to ensure that we remove the ability and the opportunity to utilize corporate resources to do so.