Here are three words you never want to hear: “We’ve been hacked.” This phrase strikes fear into the heart of even the most seasoned IT professional. Being the victim of a data breach has so many implications. Your reputation is ruined, you suffer financial losses, and recovery can be a long, drawn-out process (if it happens at all).
Keeping your EDI system secure is a vital aspect of protecting the rest of your organization. The good news is that it is not an insurmountable or impossible task. Read on to learn what risks you face by not securing your EDI system as well as the steps you can take to keep your system safe from threats.
What Are the Risks of Not Securing Your EDI System?
In 2009, the Ponemon Institute, an IT industry analysis firm, conducted its first study on the cost of cybercrime in the US. Since then, it has gone on to release global and country-specific reports on an annual basis. The researchers’ findings are chilling.
Between the publication of the 2016 and the 2017 reports, the number of records accessed during breaches increased by nearly two percent. The average cost of a data breach is $3.62 million dollars. It can be difficult to get your head around a number that big, even if your sales are even greater than that figure, so let’s break it down further. The average cost of a lost or stolen record is $141, and if you are breached once, there is an over 25 percent chance that you will experience another attack in the next two years.
Here is more dispiriting news. While companies across the globe experience data breaches, it is more expensive in some parts of the world than others. If you are located in North America, the cost of your data breach is one of the highest in the world ($225 per capita in the US and $190 in Canada). The average total organizational cost is also significantly higher in the US; it is $7.35 million there, as opposed to $1.52 million in Brazil. In addition, the cost of notifying customers in the US is the highest of any country in the study, at $690,000. Furthermore, companies in the US paid the highest price ($4.13 million) of all of the countries surveyed for losing customers.
It should not come as any surprise that the more records that are stolen or lost, the higher the overall cost. In 2017, the average cost of an incident with less than 10,000 records was $1.9 million, while the cost was $6.3 million for incidents involving 50,000 records.
What also should not be surprising is that the sooner the breach can be identified and contained, the lower the overall costs will be. Discovering the attack and acting quickly to minimize and rectify the damage means fewer customers will be affected (and thus, you will have to notify fewer people and the scope of your forensic investigation will be smaller).
Even the largest and most successful companies do not have millions of dollars to devote to data breaches. No one has the time or money to spend researching how the hackers pulled off the attack or what data they accessed. It is also an expensive business notifying customers, who then may be so upset and frightened that they will take their business elsewhere.
Protecting Your EDI System from a Data Breach
The terrifying scenario of a data breach does not have to come to fruition, though. There are steps you can take to drastically reduce your risk of an attack.
Step One - Assess the Risk: The first action you should take is to assess the security risks associated with your EDI system. When you think about the idea that your EDI system is vulnerable to threats, it is tempting to invest in the most up-to-date, comprehensive security systems so that there is not even the slightest chance that anyone can penetrate the system. While that approach might give you peace of mind, it can cost you far more money and resources than necessary; what you really need is exactly the right amount of security.
A security risk assessment of your EDI system helps you determine the sweet spot of the right amount of protection for your needs. The first step in the assessment is to define your software assets. Record the name of your EDI system, who owns it (is it in the cloud, does it run on-premise, or is it hybrid?), where it is located, and who the point of contact is for information about your EDI system. In the event of a crisis, you do not want to be running around hunting for the person who knows the most about your EDI system and how to contain the attack; that information should be readily available.
Part of a security assessment is to map connections between the EDI system, network resources, and applications it uses. One of those connections might be vulnerable, and if you can figure that out now, you can save yourself from a data breach later.
Step Two - Determine Data Sensitivity: The second step to keeping yourself safe from an EDI system data breach is to determine how sensitive your data is. Some companies transmit information that could be used to identify people (an issue in the healthcare industry) or proprietary data that could seriously damage a firm if it was stolen. The more sensitive the data, the more protection it needs.
Step Three - Identify Mission-Critical Risks You Face: Third, consider what kinds of security risks you face. As the saying goes, “Forewarned is forearmed,” and EDI systems face specific threats of which you should be aware. There is the unauthorized disclosure of sensitive data, unauthorized modification of data (which affects how trading partners receive and act upon information), lack of system availability (which impinge upon your ability to use your EDI system), unauthorized system access and use, and sender and receiver repudiation of a transaction.
The threats that your EDI system faces can place it in jeopardy. Your EDI system must be able to authenticate messages, protect them against repudiation, make data available, and stay operational. The integrity of messages must remain intact, and the information therein needs to be confidential.
Measures and Countermeasures
Once you have completed the aforementioned steps, it is time to select what countermeasures you are going to employ against threats to your EDI system. Industry experts recommend calculating the annual losses you would experience per vulnerability. Some aspects of your EDI system may have higher amounts of risk than others; those are the areas that should be your top priority to secure.
Each functional area of your EDI system has its own security measures (or set of security measures). To ensure that your authentication functionality is not affected by attacks, you can utilize access control techniques such as passwords. Cryptographic techniques such as message authentication codes and digital signatures also help authenticate EDI messages. Nonrepudiation relies upon these techniques, too.
Ensuring EDI system availability will require backing up data and putting a recovery plan in place. Testing your recovery plans is critical. You need to know that they work before disaster strikes.
EDI systems have transaction-specific security requirements, too. Cryptographic techniques maintain message integrity as well as confidentiality. Access controls are another step you can take to make sure that your messages are not altered and that the information contained in them stays private.
Identifying security risks and putting measures in place to protect your EDI system requires a certain amount of expertise. Some firms possess these skills and knowledge, while others might have some catching up to do. Determining whether you can perform these tasks in-house or whether you need to outsource these duties is vital.
A third-party EDI specialist is an excellent resource for your EDI system security needs. He or she is well-versed in how EDI systems work, their vulnerabilities, and how to best protect them. When you bring a third-party EDI specialist on-board, you gain peace of mind that your investment is safe. Moreover, you can focus on your core business.
Choose a specialist that has experience in your industry and who has worked with firms of your size. The right EDI specialist takes time to understand how your company works and what processes are currently in place. Most importantly, he or she is concerned about forging a long-term relationship; your company is more than just a number.
Your EDI system should not be a source of risk. To learn more about keeping it and your firm protected, contact us.
