FB pixel

Island hopping — How cyber criminals are capitalizing on poorly defended partners

Island hopping — How cyber criminals are capitalizing on poorly defended partners
 

By Tom Ammirati, Chief Revenue Officer, PlainID

In the modern technology landscape, large organizations and enterprises may have advanced cyber defenses — but do their partners? At a fiercely increasing pace, cybercriminals are entering through the doors of smaller, less defended businesses in order to ultimately gain access to the larger organization that has implemented a more robust security system.

Organizations are only as strong as their weakest link, and if a large organization has invested in its cybersecurity infrastructure without its partners doing the same, then they have opened the door to island hopping which allows criminals to bypass corporate security infrastructure via interactions within a partner network. The goal is to jump and hop from data store to data store until they reach their ultimate destination, whether that be sensitive company data or employee and customer credentials, to further their criminal deeds.

According to this cyberattack prevention survey, only half of the small businesses that participated are prepared for a cyberattack. Because smaller companies can often be stretched for resources, they often have not protected their environments adequately. The security solutions that detect threats, prevent damage and protect important company assets are usually not in place. These situations result in island hopping, which serves as a strong strategic attack for cybercriminals.

Cybercriminals often use island hopping to target third-party companies to gain access to a treasure trove of data with a national retailer, large healthcare provider, or critical infrastructure. They know the chances are great that vendors, third-party service providers, and partners may have weaker security hygiene, training, and infrastructure. Your partners are not consciously letting bad actors in freely, but adversaries are taking advantage of their limited resources — specifically targeting small businesses with minimal defenses and strong ties to large organizations.

The victims of island hopping

Island hopping is a major disruptor that has consequences that could last for years, potentially opening organizations up to ransomware attacks. A recent example includes Toyota Motor Corp., which was forced to suspend its factory operations at 14 plants in Japan after a supplier of plastic parts and electronic components was hacked last February. As a result, the company’s output was cut by nearly 13,000 cars.

Additionally, island hopping might happen on a smaller scale if you routinely order food for your staff from the same website. Island-hopping criminals can use that information to hack the restaurant’s website and use it as a watering hole to gather information they can use to target your business.

The role Zero Trust plays in a modern cybersecurity posture

Utilizing Zero Trust can be the difference between being a victim of cybercrime or thriving while protected. To take steps to prevent this risk, a Zero Trust solution can be paired with a clear single-panel view of company data so that it is easily readable and accessible to understand who has authorized access to what, and who can authenticate said access. These steps work as an authentication process to make sure the user is who they say they are and are not actually a compromised account. If compromised, the last thing an organization wants is an unchecked, adversarial user with administrative privileges.

Important to highlight is that no singular cybersecurity solution can stop an island-hopping attack with 100 percent certainty. However, authentication and authorization processes serve as key ways to isolate and prevent continual damage. The modern and future security perimeter includes much more than the on-prem environment and cloud systems; it extends to your partners’ and their suppliers’ environments. Essential security extends to everything connected within the network, no matter how loosely.

To aid partners, it would be recommended to require auditing of procedures and security policies. Providing free training, advice, or resources to prevent attacks would not only be smart security-wise, but it would also be a token of good business. This investment in time and resources can create a bond while also making items more manageable and affordable, especially if an attack were to happen.

After providing resources to educate, it is crucial to strongly advise the implementation of authorization and authentication solutions that provide a single panel view of the company’s network. You may expect an attack from state governments or cyber groups in the future, but for now, it may actually come from your underprepared partners and suppliers. The security landscape is constantly evolving, and organizational defenses must change with it.

About the author

Tom Ammirati is Chief Revenue Officer at PlainID.

DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

Pix adds NFC scanning, device biometrics to Brazilian digital payments platform

Brazil’s pioneering instant payment system, Pix, is taking a step forward with the introduction of Pix by Approximation, a feature…

 

ROC is the top US firm for age estimation in latest NIST ranking

Colorado-based ROC has broken back into the top tier in the recent NIST Face Analysis Technology Evaluation (FATE) for Age…

 

UK Home Office to test remote fingerprint enrolment via smartphone for entry

A notice from the UK government says the Home Office will conduct trials of remote and in person biometric fingerprint…

 

Austroads preps to scale Digital Trust Service after mDL testing success

Austroads has declared its Digital Trust Service (DTS) to enable the use of mobile driver’s licenses (mDLs) for attribute and…

 

UK Biometrics Commissioner’s report highlights vacancy in key regulatory role

The biometrics work of UK police continues, overseen by a vacant office which has published a formal report written by…

 

Facial recognition search engine claims 50K new photos of missing people

FaceCheck.ID has supposedly added 50,000 photos to its database. At the time of writing, the website has more than 920,000…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events