How Cybercriminals Could Be Infiltrating Your Supply Chain

In today’s modern technology landscape, you would expect for large organisations and enterprises to have advanced cyber defences in place - but can the same be said for their partners?

Cybercriminals have mastered the art of uncovering the paths of least resistance that lead to an organisation’s valuable assets and confidential information. To counter this, security professionals have introduced more robust and sophisticated measures to make it harder for attackers to succeed.

Yet, organisations are only as strong as their weakest link, and if a large organisation has invested in its cybersecurity infrastructure without its partners doing the same, then they have opened the door to “island hopping”. 

Cybercriminals are increasingly opting for island hopping, where they infiltrate a single, weaker target to exploit existing credentials and gain access into larger enterprises – essentially, a paradise of interconnected organisations. 

Island hopping represents a significant threat to any organisation that works with third parties. Particularly susceptible are those enterprises that engage with all sizes of vendors, contractors, and service providers.

Unfortunately, smaller suppliers with potentially weaker security postures can become easy entry points for cybercriminals and pose a substantial risk to their larger clients.

A Paradise For Cybercriminals

Even when suppliers appreciate the importance of cybersecurity, they may lack appropriate resources and be unable to afford the level of defence and monitoring capabilities that are necessary.  Although, business partners and suppliers are not consciously letting bad actors into their networks unchallenged, adversaries are taking advantage of these trusted relationships.

Cybercriminals know that organisations often grant their business partners some level of access to their systems, making them prime targets for phishing, social engineering, and man-in-the middle attacks. Malicious actors are also aware that suppliers are often given more access to systems than they need. Therefore, the question for many enterprises has become, how do they secure their business from island hopping attacks, whilst at the same time being able to continue working with valued suppliers, whatever their size? This problem needs a solution capable of closing vulnerable security gaps in the collaborative workflow, whilst also keeping partnerships running smoothly.

The Role Of Zero Trust

A zero trust authentication strategy can play a pivotal role in an organisation’s cybersecurity infrastructure and ensure that suppliers don’t unwittingly become the bridge for island hopping attacks. Instead of assuming that users and devices are trustworthy, this approach requires continuous verification of every user, device, and application which tries to access resources, based on fine-grained authorisation that can accommodate nuanced data sharing across internal and external users.

By extending this centralised approach to suppliers and third parties, organisations can have visibility and access control of their entire ecosystem in one place, including users, suppliers, partners, roles, and applications.  Always-on verification from dynamic risk indicators such as network device, identity, location, ensures that after authentication is granted it is also monitored throughout each digital interaction to detect any unauthorised access or hijacked session. In this way, any suspicious access can be denied or terminated.

Utilising zero trust authentication can be the difference between being a victim of cybercrime or thriving while protected.

Having the right kind of authentication tools in place will help to minimise risks and, if backed up with education and supporting materials, can further enhance security for all parties. Offering free cybersecurity training to suppliers can help them to improve their ability to defend and respond to threats as well as understand obligations to compliance regulations.  This mutual commitment of time and resources can cement and build longer term commercial partnerships.

It’s important to understand that the risk of a breach is never completely eradicated when dealing with third parties. However, zero trust authentication significantly strengthens security and ensures that every access attempt is rigorously verified, reducing the odds of a successful attack.

Adopting a zero trust mindset puts organisations in a much safer position than those who trust anyone who seemingly has legitimate credentials but turns out to be an island hopping cyber tourist with criminal intentions.

Stuart Hodkinson is VP EMEA at PlainID

Image: Erik_and_so_on

You Might Also Read:

Mapping Out The Journey To Zero Trust:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Intelligence Chiefs Accuse China Of IP Theft & Online Deception
A Microchip To Reshape Artificial Intelligence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

SiteGuarding

SiteGuarding

SiteGuarding provide website security tools and services to protect your website against malware and hacker exploits.

Cysec - TU Darmstadt

Cysec - TU Darmstadt

CYSEC is the Cybersecurity faculty of the Technical University of Darmstadt and performs internationally renowned research in numerous areas of cybersecurity.

Namogoo

Namogoo

Namogoo’s disruptive technology identifies and blocks unauthorized product ads that are injected into customer web sessions by client-side Digital Malware.

ThreatSpike Labs

ThreatSpike Labs

ThreatSpike Labs provides the first end-to-end fully managed security service for companies of all sizes.

GMV

GMV

GMV is a technological business group offering solutions, services and products in diverse sectors including Intelligent Transportation Systems, Cybersecurity, Telecoms and IT.

Cyber Physical Security Research Center (CPSEC)

Cyber Physical Security Research Center (CPSEC)

CPSEC aims to contribute to the security enhancement of industrial infrastructure that creates value across cyber space and physical space.

Sigma IT

Sigma IT

SIGMA IT is one of the largest IT services organizations in EMEA region providing a full range of solutions and services including cybersecurity, data protection and business continuity.

Kickstart

Kickstart

Kickstart supports your startup in scaling deep technology businesses in Switzerland in areas such as AI, Blockchain and Cybersecurity.

Techfusion

Techfusion

Techfusion is a cyber security research and consulting firm focusing on digital forensics and data recovery.

FYEO

FYEO

FYEO is a threat monitoring and identity access management platform for consumers, enterprises and SMBs.

National Cryptologic Foundation (NCF)

National Cryptologic Foundation (NCF)

The National Cryptologic Foundation strives to influence the cryptologic future by sharing our educational resources, stimulating new knowledge, and commemorating our heritage.

National Coordinator for Security and Counterterrorism (NCTV) - Netherlands

National Coordinator for Security and Counterterrorism (NCTV) - Netherlands

The NCTV serves the Netherlands’ national security. We protect national interests, identify threats and strengthen resilience.

Rhodian Group

Rhodian Group

Rhodian Group (formerly Adar) specialize in providing Technology, Cybersecurity, and Compliance services to the insurance industry.

EPIQ Infotech

EPIQ Infotech

EPIQ Infotech is a trusted consulting and implementation partner for Oracle JD Edwards and Amazon Web Services (AWS).

Boltonshield

Boltonshield

Boltonshield provide a unique and proactive approach to cyber defence with managed security services, integrated technologies, and a team of security experts, ethical hackers and analysts.

Netia

Netia

Netia is a Polish telecommunications company providing a range of business services including network solutions, communications, data centre and cloud, and cybersecurity.