Third party problems: island hopping

Stuart Hodkinson at PlainID explains why Island Hopping is an unexpected threat

 

In a world where data is shared with nearly every online interaction, the possibilities for businesses are endless. Increased interconnectivity allows for greater collaboration with other organisations, wherever they are in the world.

 

However, this ever-growing amount of data also increases the number of touchpoints which bad actors can exploit and use to access sensitive information. 

 

As expected, larger enterprises tend to have much more robust cyber-security measures, and cyber-criminals are well aware of this, shifting their priorities away to more manageable targets. Instead, cyber-criminals know that by targeting smaller, third party partners that have access to data from larger enterprises, they can target access credentials, exploiting the pre-approved entry and can “hop” into the larger company’s systems.

 

This practice, known as ‘island hopping’, poses a significant threat to any organisation that works with external partners, especially those that work closely with international contractors, vendors, and service providers. If their systems are compromised, all once trusted relationships then pose a significant threat to the larger client.

 

Threats of all sizes and kinds

There’s been many notable cyber-breaches recently; with Sony, Microsoft and the PSNI all suffering the consequences of failed cyber-security controls. The old adage of ‘too big to fail” does not apply.

 

Conversely, even if small businesses are aware of the risks that data breaches pose to both their own and partner businesses, they might not have enough bandwidth or resources to deal with cyber-attacks if the worst were to happen. 

 

However, good intentions do not equate to good security. Whilst third party clients and suppliers will never actively allow bad actors into their networks, the level of unrestricted access that they are often granted makes the reward of targeting and infiltrating their systems much more attractive. Third party users will often be subjected to phishing, social engineering, and man-in-the-middle attacks, all in the hopes of getting access to the shared information. 

 

This then presents the third party with a dilemma – how can they keep their systems secure whilst still being able to effectively deliver for organisations that might be the lifeblood of their business?

 

Always reconfirm identities

If organisations want to get serious about their security, Zero Trust authentication will be the best defence against Island Hopping for businesses of all sizes. The guiding principle of Zero Trust is acknowledging that even business-managed devices can be compromised, and if this is the case, they can also be trojanised by bad actors. If there is not 100% trust, then all devices will need to be re-authenticated when accessing sensitive information, every single time. 

 

This approach also allows organisations to set the conditions in which authorisations are granted, often right down to the granular level. For example, by cross-referencing the context of the request, including device type, time, location, and conditions when an access request is made, machine learning can help to decide whether requests are genuine or suspicious. 

 

Organisations can also go one step further, designing authorisation policies that only enable access to the information required by the third party, rather than granting blanket access to the whole digital environment.

 

Additionally, an always-on approach to verification, ensuring that every digital interaction is monitored for suspicious activity, will mean that if bad actors do island hop into the system, their session can be terminated immediately.

 

Therefore, by specifying which areas of data that third parties can access, in combination with the Zero Trust approach, risks are continually reduced as potentially compromised information is restricted to a very small area of the system.

 

Detect and prevent

Adopting a Zero Trust approach to authorisation will require organisations to centralise their data monitoring, whether that be within the home network, or externally to third parties who interact with the business. Yet, having the right tools in place will offer the best chance to detect suspicious activity in real-time before major damage can be done. 

 

However, detection alone is only half the battle. Educating colleagues, whether they be in-house or external, to understand their personal role in the battle for cyber-security will be essential.

 

Offering free cyber-security training to suppliers can help them to improve their ability to defend and respond to threats, as well as understand their obligations to compliance regulations. In a time where budgets and bandwidth are tight, third parties, especially smaller organisations, will likely welcome any additional training. By going the extra mile for your partners, they are much more likely to solidify their partnerships for years to come. 

 

As bad actors are becoming more sophisticated, the zero-trust approach will reduce the chances of a successful attack, but the risks can never be completely eradicated. Yet, by shifting attitudes to include the continual reauthentication of even trusted users, the possibility of being the next island-hopping victim will be significantly reduced.  

 

---

 

Stuart Hodkinson is VP EMEA at PlainID

 

Main image courtesy of iStockPhoto.com