Security and EDI, the Trojan horses of cyber attackers
Published on 28 June 2021
If no one is safe from a cyber attack, the multiplication of EDI flows increases the vulnerability of a company. Indeed, EDI flows with less protected subcontractors can be privileged entry points for attackers. The choice of a reliable and certified EDI provider is becoming more and more necessary.
SMEs, the weakest link in cybersecurity
When it comes to cybersecurity, small businesses are the weakest link and the ones that attackers are looking to take down first in order to reach larger targets. Faced with this phenomenon, some companies call upon rating companies to estimate the security level of their suppliers and eventually select them according to their score in calls for tender. This approach is extremely costly and is nevertheless reserved for a few large international companies.
A study conducted by cybersecurity firm BlueVoyant shows that among the 1,500 companies surveyed, 77 percent of CISOs and CIOs point to a complete lack of visibility into their vendors' security. At the same time, 82% have experienced at least one data breach in the past 12 months. This lack of control over third-party security can be explained by the fact that companies' cyber resources are obviously focused on securing their own information systems. Some companies send a security questionnaire to their partners to assess their practices, but the number of vendors a company has, on average around 1,000 partners, strains the company's ability to control them. Cyber threats and protection systems are constantly evolving, and even systems that may appear to be the most mature, such as EDI (Electronic Data Interchange), are not always the most secure.
EDI, a secure technology, but not safe from attackers
By design, EDI flows are secure: the protocol ensures the integrity and traceability of exchanges. The data itself is encrypted, which guarantees its confidentiality and integrity. The scenario of a disorganization of the activity following the sending of falsified data is to be ruled out, but the EDI flows can potentially be exploited by hackers to infiltrate the information system of a company or its EDI provider, or to divert data in an indirect way.
Since the 2010s, EDI network flows initially carried by the specialized X25 network have given way to IP and Internet connections. In the same way, the use of EDI has expanded, especially among SMEs, thanks to the development of Web-EDI type solutions, accessible to all. Any company can communicate EDI data via a simple Web browser and this democratization increases the risk of computer hacking.
The ecosystem, a concept too often underestimated by companies.
In the case of a supplier who is asked to retrieve address lists for deliveries, his computer queries his customer's computer via a flow that links the platforms through access rights. By attacking the supplier, the cyber attacker opens a breach towards the client company.
While it is appropriate for the provider to protect its customers, it is also up to the client company to qualify the trust it places in the provider. In every respect, because intrusion attempts are polymorphous: if identity theft is the most frequent case, companies must generally limit the flow of sensitive data communicated within their ecosystem.
The support of all EDI formats and protocols on the market is the first criterion for choosing an EDI solution. The platform must support EANCOM, EDIFACT, XML, UBL, HL7, JSON, PDF or X12, but also offer interfaces with ERP and business software packages such as SAP, Microsoft, Oracle or Sage. Finally, the EDI provider must obviously have interoperability capabilities with all the countries with which the company will have to exchange. But today, the choice of EDI provider must also be based on its maturity and its investments in cybersecurity.
The role of the EDI provider has evolved; it has become a key actor to protect companies from these attacks and the company itself must ensure the seriousness of the protections put in place by its EDI provider before connecting to its service.
Certifications and standards are a way to ensure the seriousness of its processes. An ISO 27001 certification appears as an essential criterion in the selection of an EDI provider. It is up to the provider to ensure that the data flow is not subject to a "Man in the Middle" attack. It is also the provider who stores the data exchanged between EDI partners. This storage must therefore be encrypted to ensure that, even if an attacker manages to penetrate the defenses in place, he cannot exploit the data exposed to his attack. Asymmetric encryption is the most secure solution to protect data, but some players are now even turning to Blockchain technology to further increase the security level of their EDI.
To discover all the features of our EDI solution in SaaS mode, go to our dedicated page.
Study "Third-Party Supply Chain Cyber Risk - CISO Report", BlueVoyant, novembre 2020