The phrase “island hopping” conjures up positive images of holidays, sandy beaches and cruises. But cybercriminals have given the term a new, less pleasant spin.
Island hopping is an increasingly popular method of attacking businesses. With this approach, cybercriminals target a business indirectly. The bad actors first go after the target’s strategic partners. These partners may be vendors or affiliates, who might not have the same level of cybersecurity and thus become a stepping stones to get to the target.
Attackers might hack into smaller businesses handling the target’s HR, payroll, accounting, healthcare or even their marketing. They then take advantage of the pre-existing relationship to access their true target.
Humans are trusting and cybercriminals exploit that. With island hopping, attackers leverage the trust already established between strategic partners.
It method is quite simple, for example attackers gain access to Company A and send a counterfeit business communication to Company B. Company B, already knowing and trusting the sender, is less likely to question clicking on a download link or opening an attachment.
After all the message is not coming from a stranger; it’s a message from say Jenny at Company A who you constantly exchange messages with. You may have in the past already shared logins to various websites / portals or even passwords to unlock documents.
The Rise of Island Hopping
This form of attack is named after a military strategy which the United States used in World War II to establish a stronghold in the Pacific.
One of the best-known island-hopping cyberattacks was seen in the United States in 2013. The retail giant Target was the aptly named target of a point-of-sale system breach where hackers stole payment information from 40 million customers. The first “island” in the planned attack was Fazio Mechanical Services. The heating and refrigeration firm suffered a malware attack shortly before Target’s breach. From here the hackers stole email credentials needed to access Target’s networks.
As enterprises continue to strengthen their cybersecurity, the bad guys will look at other methods of attack and it is predicted that island hopping will gain momentum. According to Accenture’s Technology Vision 2019 report, less than a third of businesses globally know how strategic partners secure their networks. A majority (56%) rely on trust that business partners would uphold security standards – but their standards may not be at the same level as your standards!
Preventing Island Hopping
You may be one of the islands or the attackers’ final destination. It depends on who you are, your business size and industry. Either way, your business is vulnerable to malware attack, infected systems or a data breach. Plus, if you are one of the stepping stones, you are likely to lose the target company’s business!
How do you prevent island hopping? First, secure your own networks and systems:
- Follow best practices to detect and identify vulnerabilities and reduce any risk.
- Train your employees about the dangers of business communication scams.
- Raise awareness with your staff about phishing schemes and social engineering.
- Require two-factor user authentication.
- Change all default, generic or predictable passwords.
- Keep security up to date (patching and system upgrades are mandatory).
- Strictly control who can access your networks and servers.
- Protect all endpoints (including employee own laptops and mobile devices).
When it comes to cyber island hopping, your business doesn’t want to be a layover or the final destination so keep your cybersecurity borders tight and avoid any unwanted visitors.
Want to make your business inhospitable to island hoppers? We can help you assess cybersecurity, design a plan to reduce your risks and if needed upgrade any technology. Let us support your efforts to fend off unwanted visitors by calling us now on 08 8326 4364 or firstname.lastname@example.org.