There’s Good News and Bad News FIRST, THE BAD NEWS: Island Hopping Is Gaining Steam … and it’s not a Holiday Thing Just the other day, a friend of mine discovered $20K missing from his bank account. Looking back, he remembered receiving an email from his online banking company, asking for some verifying information. “It looked legitimate,” he said. “I clicked on a link in the email to fill in a form to verify my account.” Sure enough, a bad actor had used the information about my friend’s smaller online account to then initiate a transfer from the larger bank account to the criminal’s account. … As a side note, in the end, it was the smaller bank that paid the price. What happened to my friend is unfortunately a not-so-uncommon example of a relatively new attack technique gaining steam among cybercriminals called Island Hopping. Bad actors target large organizations indirectly, gaining access first to smaller, more vulnerable partner company networks to eventually infiltrate the larger company. (The Solar Winds breach was another example of this, where attackers gained access to larger networks via one smaller player). Why Island Hopping Attacks Are On The Rise Criminals are getting bolder, and better at what they do, largely because environments are vulnerable to the techniques that they’re using to get in the door. High payouts and valuable sensitive data to be obtained are clear motivators for cybercriminals. But getting IN via smaller partner businesses is easier. As we know, fewer SMBs have adequate security in place to protect internet-connected systems. Either they don’t think they have enough to offer criminals, or they think cybersecurity is too costly a business decision, instead of part of the cost of doing business. On top of it, there’s been a large increase in digital payment transactions, some of which can be relatively easily intercepted, or initiated via links to fake websites, just for example. According to a VMware report in May, there was a 58% increase in Island Hopping among financial institutions from this year to last. But the trend is affecting businesses in all sectors. Criminals have become more ambitious, with the goal being not just of one transfer at a time, but to hijack entire institutions in order to reach those institutions’ customers. THE GOOD NEWS: There are things you CAN do to better protect yourself and your company against attack (and it’s easier than you might think). Strong cybersecurity posture is critical to establishing and protecting a company’s brand. The ability to stand up against cyberthreats (protection, monitoring, and response), is vital to winning customers’ trust. Here are the two biggest MUSTS for cybersecurity on our list. 1. Email Security Island Hopping attacks, along with a host of other methods, often start with phishing emails where attackers impersonate a representative from a legitimate company and persuade the victim to disclose personal information, click on a link, or download malware. Phishing emails have become aggressive and difficult to detect. An email security solution could be a good option to detect signs of account compromise and allow admins to remove suspicious emails. 2. Identity Management Most cyberattacks are successful because of human error or vulnerability – whether it’s a shared or stolen secret, an easily guessed password, or an undetected and acted upon phishing email. It’s for this reason, we believe this is where to attack the problem. The user’s identity, in other words, should always be tied to the login. Use multi-factor authentication (MFA) with at least one factor being “who you are” – tied to a device that is verifiably yours, and native or built into the technology so that you are not adding friction. |
TraitWare is Passwordless MFA – native in the technology, so it’s there from the day you set it up with your own device. This makes it more secure AND much simpler to use. |
To learn more about how TraitWare is helping to simplify and secure access for companies, including in the financial sector, with Native Passwordless MFA plus Single Sign-On for Zero Trust Access, listen to what our customers are saying. |
Perhaps you’ve considered MFA for your company but have questions about cost, simplicity, time to deploy, or user experience. Questions? Just curious or want to chat? We’re here to help. |