- Tom Kellermann, VP of Cyber Risk, HITRUST
Cybercriminals are increasingly exploiting the networks of smaller, often overlooked partners to reach high-value targets — a tactic known as island hopping. This method targets vulnerable vendors and turns trusted business relationships into pathways for intrusion.
According to Verizon’s 2025 Data Breach Investigations Report, third-party breaches have increased 100% from last year. There has also been a dramatic increase in island hopping. Island hopping occurs in these breaches when cybercriminals hijack the digital transformation of an organization and then launch cyberattacks against their customers.
Why is mitigating island hopping important?
Cybercriminals are evolving their conspiracies and escalating their intrusions. Mitigating island hopping is paramount to protecting one’s brand. Thwarting island hopping goes beyond perimeter security due to the ephemeral technology environments of corporations. Recognize that adversaries will get in and that success is defined by the speed at which we suppress the cybercriminal to prevent the island hop.
How to mitigate island hopping?
Organizations must embrace effective Third-Party Risk Management (TPRM) strategies in order to strengthen supply chain security and business resilience. Leverage HITRUST's comprehensive portfolio, integrating threat-adaptive security assessments with operational enablement tools that make strong and efficient TPRM practical, driving cost reductions, risk mitigation, and program simplification. With a unique combination of relevant, threat-adaptive controls and a proven and reliable assurance methodology, HITRUST helps organizations manage and mitigate third-party cyber risk.
This is no longer a question of duty of care but rather a duty of loyalty to the digital safety of your customers. As your organization digitally transforms, it must practice cyber vigilance. Doing so will enhance customer loyalty and protect your brand, thus allowing you to ward off island-hopping cybercriminals and regulatory penalties.
Cybersecurity can no longer be viewed as an expense but rather as a business functionality, given that cybercrime has a material impact on businesses. CISOs and CMOs must work together to protect the organization’s digital brand and remember that a dynamic cybersecurity blueprint is fundamental to managing third-party cyber risks.