The Dirty Secrets of the Dark Web and What CEOs Can Do to Mitigate Them

Ever wondered what lies deep beneath the Internet, deeper than the everyday search engines and websites that billions of people visit each day? While the honest citizenry of the world spend their time online visiting what’s generally known as the Surface Web—the troves of websites that are indexed and easy to find—other more nefarious actors are busy in the Dark Web.

Drugs and firearms for sale. Stolen bank accounts and personal data files. Illicit activities, and more. It all lives on the deep, dangerous bottom layer of the Internet known as the Dark Web, and it’s getting more dangerous every day.

“Deep Web” vs. “Dark Web”

The terms Deep Web and Dark Web are sometimes used interchangeably, but they are actually quite different. The Deep Web, also commonly known as the “Invisible Web” or “Hidden Web,” refers to anything on the Internet that is not indexed, with its content hidden behind login forms, and includes uses such as webmail, online banking, restricted access social media pages and profiles, some web forums that require registration for viewing content, and more. Internet experts estimate the size of the Deep Web at between 96 percent and 99 percent of the Internet.

The Dark Web is essentially a subset of the much larger Deep Web that is intentionally hidden and requires a specific browser to access. While no one knows for certain how big the Dark Web is, cyber experts estimate it to be at 5 percent of the total Internet. To access it, you’ll need to use an open-source browser and other related tools, and specifically, you’ll need TOR. And that’s where the danger begins for businesses.

TOR stands for The Onion Router, so-called because it uses the onion routing protocol for hiding information regarding user activity, location, and usage from anyone who conducts network surveillance or traffic analysis. TOR is often used by journalists, political dissidents, and criminals to keep their communications private. The development of the onion routing protocol was sponsored by the US Naval Research Laboratory in the 1990s, with TOR actually developed by the Navy and independent researchers in 2002. Fast forward to 2022 and the TOR protocol is now supported by The Tor Project, a nonprofit organization.

Caution: Do Not Enter

Entering into the Dark Web can prove incredibly dangerous for anyone, and it’s why you should not even consider lurking in the realm of the Internet unknown. According to a noted cybersecurity specialist at the FBI, the Dark Web is “messy, chaotic, full of scammers, dangerous minds, and even killers . . . that’s just for starters.” Once there, even if employees know what the Dark Web is, accessing and navigating it is no simple task, because once connected, it’s full of surprises, many of them not good.

How dirty is the Dark Web? An international law enforcement effort targeting illegal drugs (marijuana, LSD, Ecstasy) and controlled substances distributed without a prescription (pressed Adderall, Xanax) on the Dark Web resulted in 150 arrests and seizures of more than $31 million in 2021—a mere drop in the bucket in terms of the illegal activities on the Dark Web.^[1]

What’s worse, many small business owners have no idea the Dark Web exists, let alone the role it plays in exacerbating data breaches. Even worse, some small businesses might not even be aware they’ve been compromised until after their data has been bought and used by someone else.

Just imagine if an employee got curious about the Dark Web while on the company network. They find their way in and fall upon a treasure trove of what seems to be innocent content. Next, they download the seemingly harmless files, only to now expose your organization to a rash of malware. Within minutes, the infected files have spread throughout your entire network. Databases are corrupted. Sensitive company IP starts vanishing. Ransomware notes appear on employees screens. Science fiction? you may wonder. Hardly—it’s happening every day in corporate America, and your company could very well be the next victim.

I’ve always espoused the notion that the vast majority of employees are honest, hard-working, law-abiding citizens. For the fraction of those that are nefarious and deceitful, it’s hard—almost impossible—to fully stop their bad intentions. Here’s just a small list of what employees can do on the Dark Web:

• Use corporate resources to purchase illegal goods and services.
• Download underage pornography
• Join chat forums and groups that promote illegal activities.
• Hire hackers for nefarious and illegal purposes.
• Even worse, hire people to hurt, intimidate, or even assassinate someone.
• Use corporate services to mine Bitcoins.

The list of illegal and downright dangerous activities on the Dark Web are limitless, and as a business owner, you need to ensure that your employees do not have access to the Dark Web.

How to Protect Your Business from the Dark Web

1. Block the Aforementioned TOR or “The Onion Router”: There are ways to greatly reduce—but unfortunately, not ever fully block—TOR. Speak with your IT staff about developing a blacklist, and then creating an explicit outbound deny rule on your firewalls based on those specific sets of IPs.

2. Have a Clear Policy on Open-Source Browsers: TOR is free and open-source software for enabling anonymous communication, but it can be a tool that invites danger to an organization if an employee decides to delve into the Dark Web with TOR. Employees need to know that should they engage in questionable online activity while on the company network, there will be severe consequences, such as immediate termination. To be clear, the policy on TOR should be straightforward and stern: Download the TOR bundle on any company computer or use the TOR network and you are fired.

3. Offer Employees Comprehensive Security Awareness Training: While organizations can spend a king’s ransom on industry-leading security tools and solutions, all it takes is one wrong click of the mouse to infect a network. The importance of comprehensive security awareness training for all staff cannot be overlooked. Employees who truly understand today’s growing cybersecurity risks and threats are an organization’s best line of defense in protecting your network and valuable assets. The more they know, the better guarded they’ll be, and that means they’ll clearly understand the dangers of the Dark Web.

^[1] “FBI and Partners Target Online Drug Markets,” video on FBI.gov.