A guide to defending your practice from the Dark Web

A guide to defending your practice from the Dark Web

Cyber security has arguably become just as important as physical security for your home. The rapidly increasing technological landscape is partially to blame for increases in cyber-attacks – the more web connected devices you have, and the more data you store in that technological ecosystem, the more likely you are to be vulnerable.


The main reason that businesses fall victim to this growing digital threat is through a lack of understanding and appreciation, which is a result of a lack of education. If your staff fail to comprehend the severity and style of potential threats, even if you have the best technical defences and protocols available – you will still be left vulnerable.


It is in all our interests to protect our livelihoods to a rapidly expanding threat, which is why at P2 as a technology-driven organisation, we endeavour to share our insights and information to best help support and increase awareness among the local business community.


Why are professional service firms at particular risk?

It goes without saying that as an accountant or a legal practice, you carry a considerable wealth of sensitive information about your clients and their private lives, finances and assets. The data you share and transactions you make, are of considerable financial and commercial value, especially in the wrong hands; which is why we’re seeing an unfortunate trend that accountants and solicitors are being especially targeted by the cybercriminal world.


In this article, we are exploring the Dark Web. You have probably come across the term “Dark Web” at some point, but what does this somewhat ominous term refer to?


The Dark Web

The Dark Web is a collection of websites, which are only accessible by a specific web browser. It is used by criminals as a place to access, purchase, and advertise illegal goods or activities anonymously. It is made up of small one-to-one networks, as well as large, popular networks used by many, it is intentionally hidden and is estimated to be around the equivalent size of 5% of the total internet.

Among other illicit activities, the Dark Web is used as a place to trade usernames, passwords and other sensitive personal and commercial information. If you have suffered as a result of a breach – directly or indirectly – it is incredibly likely that your private data will end up listed within the Dark Web; it’s where cybercriminals will reap the reward for their endeavours.


Why should I care about my credentials being exposed on the Dark Web?

It is easy and very common to be in denial about the Dark Web’s validity as a threat, rather than taking an approach of tackling its dangers to your business head-on.


But, if it’s possible that your data – particularly the access credentials you use (usernames and passwords) to systems have been exposed, you urgently need to take precautions.


As humans its perfectly natural to use patterns and repetition to make things easier and simpler for us to remember; and with countless applications, IT systems and tools that require usernames and passwords, it has become a real chore to keep on top of best practices for password management.


With this convenience, comes an enormous vulnerability – if you, or members of your team, use the same user credentials, and should those credentials become exposed – the cybercriminals (and everyone they share those credentials with among the Dark Web) will have carte blanche access to your entire digital world.


How did my credentials end up on the Dark Web in the first place?


App breaches

Your data may be caught up in the efforts of cybercriminals in a number of ways. In most cases however, your private information will have been exposed through no fault of your own, or any member of your business, as most commonly, credentials are exposed on the Dark Web as a result of a breach of one of the software applications, websites or cloud tools that you use.


You will not be alone or have been singled out – hundreds, if not thousands, of the exposed provider’s users will have been caught up in the exposure.


Aside from this, there are a number of other cyberattack methods that you may have fallen victim to, within which your data could have been stolen or captured; these include –



Ransomware is a form of malicious software that locks and encrypts your computer, with the cybercriminal demanding a ransom to once again allow you access to your data.


The cybercriminal is using your own information against you – the files are still on your computer or server; however, they’re all encrypted, completely out of your control, and inaccessible to you. They create a sense of urgency by giving you a time limit to pay up before they delete it all or release it onto the Dark Web, causing many businesses to pay the ransom almost immediately.


But what criminal is true to their word? If you pay up, it doesn’t mean they will necessarily return the access you desire. Leaving you out of pocket and still without all your data.


It has been known, should you meet a demand set out by a cybercriminal by paying the ransom on time, and by some miracle they do return your files, they now know you’re liable to pay up – so don’t be surprised if they try to repeat the excise and con you once more; particularly if they know you have cyber liability insurance in place to foot the bill.



Phishing is the attempt and procedure of a cybercriminal duping users into sharing their genuine information through the use of fake/ fraudulent emails and websites.

Phishing scammers use emails as a vessel to carry their malicious links. The aim of the cybercriminal is to manipulate the email recipient into believing that the message is something of high importance – a message from the bank, for instance, or urgent instruction from someone senior within their company. This is all usually based around a time sensitive subject of some description, a method used in the hope that they click into the email and open the attachments, visit the linked website and submit information such as login credentials, or worse, follow the email’s instruction to make a payment transfer.



Malware (Malicious Software) are software applications that are specifically designed with the intent of stealing private data, or even to simply cause destruction and chaos.


At its lowest form, malware will be an inconvenience – filling your web browser with pop-up adverts or changing your website home page; and at its worst, could take the form of a key logging application – silently running behind the scenes on a user’s device, capturing every keystroke they make, collecting sensitive details and login credentials that are shared back with the hacker unbeknownst to the user.


How can I do something about the Dark Web?

Ensuring that you employ a range of best practices to defend your organisation from a myriad of cyber threats should be at the top of your priority list.

Specifically, to combat the risks posed by the Dark Web and any likelihood of you or your team’s credentials becoming exposed, we recommend –


Password policies

 From length, complexity and uniqueness to frequently timed resets, there has been a variety of best practice advice over the years when it comes to passwords.


To ensure your system access is protected – we recommend that you continue to follow the advice of complexity, i.e. avoid sequentially numeric passwords and personal names or identifiable information, and uniqueness, i.e find a unique password for each of the individual systems you use.


That way, your password will only be difficult to guess, should you become exposed, only the single system’s password that has been breached will be vulnerable to exploit; all your other systems will remain protected and immune.


Additionally, so you do not have to remember all of those unique and complex passwords – consider adopting a password management tool. An encrypted programme, behind which all of your credentials may be stored – ready for you in a second to access systems with a click, without the need to key in any information any longer.


User education

Without awareness of the broad range of threats and the forms they can take, your users will unknowingly be a huge gap in your defences.


Take time to regularly talk through the landscape of threats and use examples, which your team can rely as a cheat sheet guide to analysing threats.


Ultimately – if you don’t recognise it or trust it – question it.


Multi-factor authentication

To go one step further beyond secure passwords, multi-factor authentication (MFA) provides a second-step barrier to prevent your accounts and IT services from becoming breached, even if your password has been exposed.


MFA works by triggering a unique login code to your mobile phone, via SMS or through an authenticator application. A code which must be entered within a time frame of 10-30 seconds to successfully login – expiring and renewing immediately after that time has lapsed.


Tackling your cyber threats head-on.

At P2 Technologies, we’re helping professional service organisations just like yours to get ahead of their cyber concerns, meet compliance objectives and be the step ahead in a digital age.


If you have any doubts or lack peace of mind where your cybersecurity defences, policies or education are concerned; have challenges meeting compliance obligations, or wish to simply level-up your approach to technology, we can help.


Please make contact with our team today for a free, no-obligation discovery call – from which we will learn about your business that will enable us to provide tailored advice on the best path forward for a secure and prosperous future for your business.