Island Hopping in the Supply Chain – A Paradise for Cybercriminals

Cybercriminals are notoriously good at the art of uncovering the paths of least resistance that lead to an organisation’s valuable assets and confidential information. To counter this, security professionals have introduced more robust and sophisticated measures to make it harder work for attackers to succeed. In response, criminals are switching tactics, opting for “island hopping” where they infiltrate a single, weaker target to open up routes into larger enterprises – and a paradise of interconnected organisations.

Island hopping represents a significant threat to any organisation that works with third parties. Particularly susceptible are those enterprises that engage with all sizes of vendors, contractors, and service providers. Unfortunately, smaller suppliers with potentially weaker security postures can become easy entry points for cybercriminals and pose a substantial risk to their larger clients.

Suppliers in all shapes and sizes

Small businesses themselves agree that cyberattacks are a top concern, as highlighted in a survey where only half said they were ready to deal with one if it happened. Even when suppliers appreciate the importance of cybersecurity, they may lack appropriate resources and be unable to afford the level of defence and monitoring capabilities that are necessary.  

While business partners and suppliers are not consciously letting bad actors into their networks unchallenged, adversaries are taking advantage of these trusted relationships. Criminals know that organisations often grant their business partners some level of access to their systems, making them prime targets for phishing, social engineering, and man-in-the-middle attacks. Malicious actors are also well aware that suppliers are often given more access to systems than they actually need, as shown in a 2022 Ponemon Institute report. It found that organisations that had experienced a breach caused by third parties cited that 70% of these occurred as a direct result of giving them too much-privileged access. 

For many enterprises, the dilemma is how to secure their business from island-hopping attacks while at the same time being able to continue working with valued suppliers, whatever their shape and size. The problem needs a solution capable of closing vulnerable security gaps in the collaborative workflow, but that also keeps relationships running smoothly.

Always-on zero trust authentication

As a defence, a zero trust authentication strategy can play a pivotal role, ensuring that suppliers don’t unwittingly become the bridge for island hopping. Instead of assuming that users and devices are trustworthy, this approach requires continuous verification of every user, device, and application which tries to access resources, based on the fine-grained authorisation that can accommodate nuanced data sharing across internal and external users.

By extending this centralised approach to suppliers and third parties, organisations can have visibility and access control of their entire ecosystem in one place, including users, suppliers, partners, roles, and applications.  Always-on verification from dynamic risk indicators such as network device, identity, and location, ensures that after authentication is granted it is also monitored throughout each digital interaction to detect any unauthorised access or hijacked session. In this way, any suspicious access can be denied or terminated.

Having the right kind of authentication tools in place will help to minimise risks and, if backed up with education and supporting materials, can further enhance security for all parties. Offering free cybersecurity training to suppliers can help them improve their ability to defend and respond to threats as well as understand obligations to compliance regulations.  This mutual commitment of time and resources can cement and build longer-term commercial partnerships.

While zero trust authentication significantly strengthens security, it can never completely eradicate the risk of a breach when dealing with third parties. However, it does ensure that every access attempt is rigorously verified, reducing the odds of a successful attack. Adopting a zero-trust mindset puts organisations in a much safer place than those naively trusting anyone who seemingly has legitimate credentials, but turns out to be an island-hopping cyber tourist with criminal intentions.