Security and EDI, the Trojan horses of cyber attackers
Published on 2 September 2021
If no one is safe from a cyber-attack, then the multiplication of EDI flow increases the vulnerability of a company. Indeed, EDI flows with less protected subcontractors can be privileged entry points for attackers. The choice of a reliable and certified EDI provider is becoming more and more necessary.
SMEs, the weakest link in cybersecurity
When it comes to cybersecurity, small businesses are the weakest link and the ones that attackers are targeting, so that they reach larger targets. Faced with this phenomenon, some companies use rating companies to estimate the security level of their suppliers and eventually select them according to their score. This approach is extremely costly and is nevertheless reserved for a few large international companies.
A study conducted by cybersecurity firm BlueVoyant shows that of the 1,500 companies surveyed, 77% of CISOs and CIOs report a complete lack of visibility into their vendors' security. At the same time, 82% have experienced at least one data breach in the past 12 months. This lack of control over third-party security can be explained by the fact that a company’s cyber resources are obviously focused on securing their own information systems. Some companies send a security questionnaire to their partners to assess their practices, but the average company has about 1000 partners, which limits the company's ability to control them. Cyber threats and protection systems are constantly evolving, and even systems that may appear to be the most mature, such as EDI (Electronic Data Interchange), are not always the most secure.
EDI, a secure technology, but not safe from attackers
By design, EDI flows are secure: the protocol ensures the integrity and traceability of exchanges. The data itself is encrypted, which guarantees its confidentiality and integrity, but EDI flows can potentially be exploited by hackers to infiltrate the information system of a company or its EDI provider, or to divert data indirectly.
Since the 2010s, EDI network flows initially carried by the specialized X25 network have given way to IP and Internet connections. In the same way, the use of EDI has expanded, especially among SMEs, thanks to the development of Web-EDI type solutions, accessible to all. Any company can communicate EDI data via a simple Web browser and this democratization increases the risk of computer hacking.
The ecosystem, a concept too often underestimated by companies
For example, a supplier who links his computer to a client, so he can obtain a list of addresses, will open a connection between the two platforms. By attacking the supplier, the cyber attacker opens a breach towards the client’s company.
While it is appropriate for the supplier to protect its customers, it is also up to the client to qualify the trust it places in the supplier. Intrusion attempts are polymorphous: if identity theft is the most frequent case, companies must generally limit the flow of sensitive data communicated within their ecosystem.
The support of all EDI formats and protocols on the market is the first criterion for choosing an EDI solution. The platform must support EANCOM, EDIFACT, XML, UBL, HL7, JSON, PDF or X12, but also offer interfaces with ERP and business software packages such as SAP, Microsoft, Oracle or Sage. Finally, the EDI provider must obviously have interoperability capabilities with all the countries with which the company will have to exchange. But nowadays, you must also choose your EDI provider according to its maturity and its investments in cybersecurity.
The role of the EDI provider has evolved; it has become a key player in protecting companies from these attacks and the company itself must ensure the seriousness of the protections put in place by its EDI provider before connecting to its service.
Certifications and standards are a way to ensure the seriousness of its processes. An ISO 27001 certification appears as an essential criterion in the selection of an EDI provider. It is up to the provider to ensure that the data flow is not subject to a "Man in the Middle" attack. It is also the provider who stores the data exchanged between EDI partners. This storage must therefore be encrypted to ensure that, even if an attacker manages to penetrate the defenses in place, he cannot exploit the data exposed to his attack. Asymmetric encryption is the most secure solution to protect data, but some players are now turning to Blockchain technology to further increase the security level of their EDI.
Generix Group North America provides a series of solutions within our Supply Chain Hub product suite to create efficiencies across an entire supply chain. Our solutions are in use around the world and our experience is second-to-none. We invite you to contact us to learn more.