The blockchain frenzy has centered on its transformative potential – but as companies remain squarely focused on “how” to use the technology, few are asking “Is blockchain secure for my business?”
It’s no secret that blockchain1 is a potential game changer in financial services and other industries. This is evident by the US$1B investment2 in the technology last year alone. Or the fact that you don’t have to look very far for blockchain use cases, which are as diverse as a foreign exchange market in financial services to the pork supply chain in consumer retailing.
Some even see blockchain as a “foundational” technology set to disrupt, enable and change business processing, as we know it across industries. To date, much of the blockchain frenzy has centered on its vast transformative potential across entire industries. So, organizations have focused squarely on “how” they can use blockchain for business. Yet, as more proof of concepts move toward practical implementations and cyber threats rapidly grow in number and sophistication, security and risk management can no longer take a backseat. In addition to “how”, the question then becomes, “Is blockchain secure for my business?”
Simply put, it can be. But, not by just turning the key. Security will depend on a variety of factors, none the least of which requires a robust risk management framework. Consider, for example, that as many as half of vulnerability exploitations occur within 10 to 100 days after they are published according to one study3 . Then add in the number of threats that are already known. Next, factor in the plethora of unknowns that accompany emerging technologies and you quickly see why a comprehensive view of your risk and threat landscape is necessary. In Securing the Chain, we explore two recent incidents related to blockchain technology — what happened, how it happened and how it could have been prevented.
We then apply the lessons learned from such incidents, and from security and risk management experience with other emerging technologies, to provide you with a framework that can help you identify and respond to threats for your specific blockchain implementation.
Organizations are already grappling with multiple frameworks and standards. At the risk of creating another one, the purpose of our blockchain framework is to enable a comprehensive (and critical) line of questioning to ensure blockchain implementations are secure and resilient. We fully expect organizations
to take the leading practices underpinned by this framework and integrate them with their existing security and risk management capabilities and frameworks.
There is a common misconception that blockchain is inherently secure because its principles are founded on cryptography and immutability (i.e., information can be permanently stored on a public ledger without being tampered with). But
despite its strengths and promise, blockchain is not inherently secure, and even a small oversight can have a significant impact.
Two recent incidents made this point clear by showing how attackers can exploit security oversights within individual organizations while simultaneously using the fundamental strengths of blockchain technology.
Many anticipate blockchain will significantly disrupt and transform business models in financial services, healthcare and beyond. Yet, the sheer excitement over this innovative technology and its promising potential has eclipsed a true focus on the possible threats and risks. As blockchain continues to build significant momentum and reality sets in, companies cannot turn a blind eye to security and risk management any longer. Blockchain may even provide a false sense of security through some core features around cryptography and immutability. It is now time to apply a risk management lens.
Moving forward, we believe the security and risk considerations, including those discussed in this paper, will steer the use cases and implementations of blockchain across industries. By analyzing lessons learned from recent examples of blockchain related incidents and from decades of experience in security and risk management, organizations can be better equipped to implement secure and resilient solutions around this merging technology.