Emerging Attack Vector: Why the Security Industry Should Treat Electronic Invoicing like Electronic Health Records

Written by

Electronic invoicing, or e-invoicing, is sweeping the globe as governments seek to eliminate tax fraud and maximize revenue collection; however, it carries with it similar security risks that have emerged from other digital transformation initiatives. Specifically, the advent of e-invoicing is akin to the healthcare industry’s introduction of electronic health records (EHRs).
Around the world, governments are beginning to mandate electronic invoices for both sending and receiving shipments so tax authorities can keep tabs on every taxable transaction; a few countries have even eliminated paper invoices altogether and started enforcing tax rules in real time. 
Electronic health records remain a vector for attacks
E-invoicing remains in its infancy in most countries. However, the fear is that as data thieves become aware of it, e-invoicing could suffer from the same security risks as EHRs.
In 2015, a security breach at Anthem affected 78.8 million people with personal information in its system - the largest medical records breach in US history, and attacks have continued. Last year alone, there was an average of one health-data breach per day; the total number of breaches eclipsed 450 and affected 5.6 million patient records. 
Why e-invoicing could be the next cybersecurity nightmare
Any time organizations store or send critical data electronically, the potential for a breach exists. Electronic invoices in most countries mandate information such as a tax ID numbers, descriptions of goods shipped or received, the total amount of an invoice, taxes due and other critical data points.

If data thieves string enough information together, they can develop the necessary insight about a company’s suppliers and relationships, as well as about proprietary business practices, to sell the information to a competitor or hold the victim at ransom. Beyond that, e-invoicing carries the challenge of being global, meaning businesses must secure their e-invoicing systems in a wide variety of countries, most of which have different mandates.
E-invoicing also makes for a great attack vector because companies have to implement it, just as healthcare providers had to implement EHRs; failure to comply with mandates can result in harsh financial penalties, delayed or missed shipments, and even the shuttering of the business.
Security Options: In-house development vs. partnering with a third party
The companies most likely to fall victim to e-invoicing data theft are smaller businesses that don’t have the resources to build secure e-invoicing systems themselves. They will either have to undertake the potentially massive project of trying to develop their own systems or turn to third parties for help.
The choice might not be as clear cut as it sounds. The cost of data breaches is growing faster for small businesses than for larger ones: in 2018 so far, the average enterprise has paid 24% more per incident compared to last year, but security breaches have cost the average small business 36% more. The source of the costliest incidents occurs with third-party providers, security experts at Kaspersky found.
Still, building secure systems of any kind is no small task. For most small businesses, building a secure e-invoicing system could take months or even years—far too long to comply with mandates that are rolling out rapidly. Turning to a third party might be the only choice.
Awareness of security capabilities from the beginning
Either way, it’s imperative that businesses keep two factors in mind:

  • E-invoicing systems are business-critical, not afterthoughts or add-on applications to be plugged into financial systems and forgotten.
  • Security should be the paramount concern in developing or choosing an e-invoicing system. Too many organizations rushed EHRs into use and figured they would beef up security later—too late in some cases.

If companies want to avoid the pitfalls of EHR, they must know what they’re capable of when launching into e-invoicing. Treating e-invoicing as anything but a top priority can be potentially disastrous.

What’s hot on Infosecurity Magazine?