Wednesday Jan 11, 2023

Dark web monitoring and avoiding FUD decisions

Kathy Durfee – CEO & Founder of Tech House joined Felicia to discuss dark web breach monitoring

Scenario: FUD report from a competitor

Perceived: Multiple users in their environment were breached. Perceived proof was report with the listing of the users and the passwords and columns that the customers did not know what that data was.

Good: Customer told their current IT service provider about the report.

FUD – Fear, Uncertainty, and Doubt – is, in the wrong hands, a powerful tool to drive snap decisions within a company. However, it is not a viable or valid sales tactic: for all it could potentially do well, causing unnecessary stress and suffering is what it does best. Speaking with Kathy Durfee, CEO and Founder of TechHouse, a managed services and solutions provider based in Florida, we walk through a recent case of FUD with a customer of hers that received a worrisome report from a potential competitor. During our chat, we covered:

  • The key aspects of FUD (and how it does not work)
  • What the Dark Web is, and the logistics of monitoring and combating it
  • Leadership training and best practices for helping a team best meet their security and regulation requirements
  • Identifying the key differences between commodified and relational partnerships, especially in the technological sphere
  • Shared responsibility between MSPs, their customers, and those customers’ clients

Where does dark web monitoring and dark web data risk reside on the continuum of risk? How best to mitigate?

What really is the risk and the mitigation?

Put the efforts into prevention.

Put the individual in the driver’s seat of managing the risk that is best managed by them by putting the right tools in their hands.


Perception of the proper allocation of the budget

Businesses must make time for training.

ITSP must include in service catalog what the client is getting in terms of services.

  • What do we need to do? Cross reference on tools that accomplish outcomes and cover risk mitigation and ensure that the client understands what those are.

Training is how you squeeze the juice out of the orange. Without it you may not get all the juice out of the orange or get any juice out of it at all.

Common business objections to allocating time for training

Payroll costs, but avoiding training is not legally defensible anymore.


The IT Service provider CANNOT alone write policies for you, and they CANNOT approve and enforce your organizational policies.

Four pillars

  • Policies
  • Technical controls implemented
  • Automation of technical controls
  • Reported to the business – It’s YOUR report, your organization.
    Shared responsibility – some months the CFO does it, some months the CEO does it.
    Set a schedule and do it. 3 weeks any habit; trainer or partner

Do you look at your P&L and balance sheet every month? You should be understanding the reports from IT.


An interesting lawyer opinion on the topic:

Comments (0)

To leave or reply to comments, please download free Podbean or

No Comments

Copyright QPC Security All rights reserved.

Podcast Powered By Podbean

Version: 20240320