The phrase “island hopping” conjures up pleasant visages of sunset cruises, swaying palm trees, cool trade wind breezes and icy cold tropical beverages, right? Island hopping in the compliance space creates a significantly less appealing scenario.
Your dealers must be doubly sure that the “islands” connected to their business, their supply chain, and access vectors are just as secure as the dealership.
Island hopping is a term for a cyberattack in which the target (“island”) is not the ultimate goal, but just a steppingstone (or an island “hop”) on the way toward the ultimate target.
Hackers focus their attack on the ultimate target’s partner network and look for smaller more vulnerable affiliates of the ultimate partner, frequently in the ultimate target’s supply chain. Once they gain access to the affiliate’s computer network they “island hop” into the ultimate target’s network. This is the modern day version of an attack against the “weakest link in the chain.” Recently published reports indicate that island hopping is present in 50% of all attacks.
It Was Our Contractor
One of the most well-known island hopping attacks involved Target. There, the cybercriminals hacked into Fazio Mechanical’s computer network with an email malware attack. Fazio was Target’s HVAC contractor.
According to some reports the only security deployed by Fazio was a free antivirus program. Once in the Fazio’s computer network, the hackers were able to gain access to Target’s vendor payment portal and from there they were able to hack into Target’s network containing point-of-sale data and obtain credit card and personal data on more than 40 million consumers.
The Safeguards rule requires the maintenance of “physical, electronic and procedural safeguards to protect the confidentiality and security” of collected information. Some businesses ignore this clear mandate and take no action to protect their client data and to protect their own business.
Some businesses take moderate action to secure their own facility but no action outside the “four walls” of their business. The problem with this approach, is that the digital marketplace exponentially expands the areas, which must be safeguarded.
If you consider your dealer clients’ customer records as the “target island,” what other “islands” are available for hackers to exploit on their way toward that valuable data? Consider the following diagram:
Each of the listed vectors potentially have access to your customer data. What steps have your dealers taken to prevent an island hopping attack on their businesses? As part of your duty to safeguard client data, have they done due diligence on their vendors, do they have access controls on their network, and are employees trained to detect phishing and social engineering attacks?
All businesses suffer “compliance fatigue.” The headlines seem to be a relentless parade of data breaches, hacking exploits, and episodes of ransomware being deployed against municipalities, hospitals, and businesses. Your dealers must be proactive and fight compliance fatigue with a compliance management system. In Target’s case, the failure to safeguard client data resulted in an $18.5 million payment to resolve state-level investigations conducted in 47 states and the District of Columbia.
Be sure to enjoy scenic island hopping on your next vacation. But know your dealers must be doubly sure that the “islands” connected to their business, their supply chain, and access vectors are just as secure as the dealership — or be prepared, like Target, to write a very large check!
DISCLAIMER: Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without retaining counsel to provide specific legal advice based upon your particular situation, jurisdiction and circumstances. No duties are assumed, intended or created by this communication. No attorney/client relationship is being created by your review or use of this material.
© 2019 Robert J. Wilson, All Rights Reserved
Robert J. Wilson, Esquire (Bob) is a Philadelphia lawyer and is General Counsel for ARMD Resource Group. Bob is the principal of Wilson Law Firm and has over 30 years of experience both as a counselor and as a litigator in State and Federal Courts. Risk management, problem solving and dispute resolution are his core competencies. Bob’s practice is largely in the consumer finance space and he regularly consults with Lenders and contributes articles on various compliance related issues.