When you hear the phrase “island hopping,” you may think of cruising beautiful sandy beaches on a tour of tropical islands. Unfortunately, cybercriminals have given the term a new, less pleasant spin.
Island hopping is an increasingly popular method of attacking businesses. In this approach, cybercriminals target a business indirectly. In order to reach their final destination, hackers first go after their target’s smaller strategic partners. So, vendors or affiliates, who might not have the same level of cybersecurity, become stepping stones to hop.
Attackers might hack into smaller businesses that handle the target’s HR, payroll, accounting, healthcare, or marketing. Then, they take advantage of the pre-existing relationship to access their final destination.
The process is quite simple: attackers gain access to Company A and send a counterfeit business communication to Company B. Company B, knowing the sender, is less likely to question a download link or opening an attachment. After all, the attack isn’t coming from a stranger – it’s a message from your well-known partner. Humans are trusting, and unfortunately cybercriminals exploit that. With island hopping, attackers leverage the trust established between strategic partners.
The Rise of Island Hopping
Island hopping is not a brand-new form of attack. In fact, it’s named after a military strategy that the United States used in World War II to establish a stronghold in the Pacific Islands.
Perhaps the best-known island hop cyberattack was seen in the United States in 2013. Retail giant Target was the aptly named target of a point-of-sale system breach. Ultimately, Hackers stole payment information from about 40 million customers. The first “island” in the planned attack was Fazio Mechanical Services, one of Target’s strategic partners. The heating and refrigeration firm suffered a malware attack shortly before Target’s breach. As a result of this attack, Fazio’s hackers stole email credentials needed to access Target’s networks.
As enterprises continue to strengthen their cybersecurity, it’s predicted that island hopping will gain momentum. According to Accenture’s Technology Vision 2019 report, less than a third of businesses globally know how strategic partners secure their networks. A majority (56%) rely on trust that business partners would uphold security standards.
Preventing Island Hopping
You may be one of the islands to hop or the attackers’ final destination; it ultimately depends on your business size and industry. Either way, your business is vulnerable to malware attack, infected systems, or a data breach. Additionally, if you’re the stepping stone, you’re likely to lose the target company’s business.
So, how do you prevent island hopping? First, secure your own networks and systems:
- Follow best practices to detect and identify vulnerabilities and reduce risk
- Educate your employees about the dangers of business communication scams
- Raise awareness of phishing schemes and social engineering
- Require two-factor user authentication
- Change all default, generic, or predictable passwords
- Keep security up to date (patching and system upgrades are mandatory)
- Control who can access your networks and servers
- Protect all endpoints (including employee devices in a Bring Your Own Device workplace)
When it comes to cyber island hopping, your business doesn’t want to be a layover or the final destination. Keep your cybersecurity borders tight to avoid unwanted visitors.
Partner with a Managed Service Provider (MSP) to make your business inhospitable to island hoppers. An MSP can assess your cybersecurity, provide a plan to reduce risk, and upgrade technology. Let us support your efforts to fend off unwanted tourists.
STG IT Consulting Group would love to show you all we can offer as your Managed Service Provider.
Click here to schedule a free 15-minute meeting with Stan Kats, our Client Engagement Specialist and Senior Technologist.
We proudly serve Greater Los Angeles and surrounding areas for all of your IT needs. We look forward to meeting with you!