In May, I discussed the benefits of blockchain for data storage. Today, we’ll revisit the benefits of blockchain, this time focusing on enhancing your small business’s cybersecurity.
Cyberattacks are on the rise, and high-profile attacks on large companies, resulting in the loss or exposure of sensitive customer data, seem to be a weekly occurrence.
It’s not just large corporations that are concerned, however. According to the U.S. Chamber of Commerce, small businesses “are often the most vulnerable to cyber threats,” with 44% of small businesses reporting that they’ve been the victims of an attack, the average cost of which was $9,000.
As a technology built with security in mind, blockchain offers a lot of promise in terms of its cybersecurity potential.
After all, blockchain is the result of multiple large breakthroughs in security and cryptography used to secure bitcoin. Applying it to areas outside of cryptocurrency exchanges just makes sense.
To help you understand blockchain and its potential for cybersecurity at your small business, we’ll look at:
- Specific security aspects blockchain can potentially improve
- The different types of blockchain trust models
- Whether your business should invest in blockchain technology in 2018
3 Reasons Blockchain Is Exciting for Cybersecurity
Blockchain operates on a distributed network, takes advantage of breakthroughs in encryption, and uses complex algorithms to verify the ownership and accuracy of data.
Each of those features alone is an element of a strong, advanced cybersecurity strategy. Combining them through blockchain technology promises advancements for the cybesecurity industry.
Below, I’ll take a look at three aspects of cybersecurity that blockchain has the greatest potential to improve or enhance.
1. Blockchain can help prevent access fraud
Blockchain has major potential to bring much-needed changes to the process of identity and access management.
One of the biggest problems with identity and access management is that your employees likely use weak passwords that are easy for a hacker to crack. They may use those same passwords for multiple applications, granting bad actors access to all kinds of sensitive information after they’ve cracked the code in one place.
Compound that with the fact that passwords run on a public key infrastructure (PKI) model that ultimately relies on a central authority (CA) to issue, revoke, and store key pairs. Key pair records control the pairing of your private key (i.e. your password) with a public key, which is used to verify that the person using your private key (hopefully you) has access to certain data or information (i.e. the emails in your email account).
The problem here, blockchain-based security advocates argue, is the CA managing passwords—centralized databases and systems are easier to hack.
Using blockchain, you can create a distributed PKI model. Instead of a CA controlling and managing key pairs, you can store that data on the blockchain.
As I discussed in last week’s article on distributed storage, a distributed blockchain network is more secure than a centralized network, because a cybercriminal would have to access multiple points of entry simultaneously to hack the network, rather than only a single, centralized point of entry.
Though a blockchain-based distributed PKI model doesn’t entirely eliminate the need for your employees to use strong passwords, it does take some of the burden off of their shoulders by relying more on the strength and structure of the distributed network rather than on the resilience and security of a CA’s record keeping.
2. Blockchain can help deter certain cyberattacks
The world thought it had seen the biggest DDoS (distributed denial of service) attack when Github was hit in February 2018. However, the world was mistaken when, five days later, an even bigger DDoS attack hit a U.S. service provider.
Though malware and viruses are the most common types of cyberattacks, DDoS attacks, which attempt to crash online services by bombarding them with traffic from many different sources at once, aren’t far behind. According to a survey from the Hartford Steam Boiler, over a third of businesses had been the target of a DDoS attack at the time of the survey.
Websites crash when subjected to DDoS attacks because the domain name system (DNS)—essentially a phone book for the internet that matches domain names (www.capterra.com) to an IP address to redirect you to the appropriate website—is stored on a system that’s only partially decentralized. Once hackers gain access to the centralized part of DNS, they can crash your site.
A diagram of a DDoS attack, which targets a centralized system (Source)
Operating DNS on a blockchain would fully decentralize the system, meaning that attacks wouldn’t be aimed at a single, centralized source, avoiding the flood of traffic that ultimately crashes sites.
It also means that a hacker would have to gain access to multiple nodes in the system at the same time in order to implement the attack, which would make it much harder, more expensive, and more time-consuming to carry out.
3. Blockchain can make it harder to tamper with data
Blockchain is all about ensuring the integrity of data. In last month’s post, I went over why blockchain-based distributed storage solutions are harder to hack—and, therefore, more secure—than centralized data storage systems, so I won’t go into too much detail here.
However, blockchain technology also offers safeguards to ensure that your data isn’t corrupted or lost.
Data can never be removed from a blockchain. New or edited data is added on top of old blocks. You can think of this as a much more sophisticated way of tracking changes in something like a Google sheet. If you look at old versions, you can see who made which changes and when they were made.
Similarly, every time a block is added to a chain, it has a digital signature and time stamp and is therefore fully traceable. If a hacker were somehow able to change data on the chain, you would be able to see when they did it and which account they did it from.
Finally, if a cybercriminal did manage to alter data on the blockchain, those changes would be detected very quickly, as every time data is changed, those changes have to be verified with the rest of the chain. False data, or data altered without the correct permissions, would alert the whole chain that there was an error, and the false data would be excluded from the system, keeping your data intact.
3 Types of Blockchain Trust Models
All blockchain applications for cybersecurity have some or all of the security enhancements I mentioned above, but not all are created using the same trust model. Depending on the trust model your blockchain operates on, the inherent level of security can vary greatly.
There are three different types of trust models that have different benefits and risks, which I’ll discuss below.
Different constructions of blockchain trust models offer varying levels of access, as well as varying levels of stability and integrity (Source)
1. Public model
A public blockchain model is, as the name suggests, public and open source. Anyone can join the blockchain to add or store data.
The main benefit of using a public blockchain is that it’s technically more secure. Since anyone can join, the network has more nodes, meaning it’s more diverse and you can disperse your data more widely, making it more resilient and less vulnerable to attack.
The risk of a public model, especially for businesses, is that, in exchange for more resilience, you lose some level of flexibility, control, and visibility into what’s going on on your network. Transaction times can also be much greater since you’re exchanging data across a large network with nodes potentially located around the world.
2. Private model
A private blockchain is closed, and one entity—your company, for instance—controls all the nodes. Only assets controlled or approved by that single entity can join the network.
The main benefit of a private blockchain is that you gain back all the things you lose with a public blockchain: flexibility, control, and visibility. However, you simultaneously lose what you gained with a public blockchain: increased security.
Creating a private blockchain means that fewer nodes can access the network, meaning your data won’t be as widely dispersed. You’re essentially centralizing what should be a decentralized network.
Gartner predicts that, in some cases, private blockchains might make good business sense. For example, as the number of IoT devices in existence grows, a private blockchain that uses the resulting nodes might offer enough diversity and distribution to create a resilient network. (Full research available to Gartner clients.)
3. Consortium model
A consortium model is essentially a hybrid public/private model. Only approved groups can join the blockchain. To do so, they typically have to agree to control a specific number of nodes, follow the consortium’s guidelines, and accept a specific number of audits.
As you might guess, operating on a hybrid trust model could increase or decrease your blockchain’s security depending on how large or small your consortium is.
However, it also minimizes the security risks that come with private blockchains as, by definition, it allows greater access to its network.
Should Your Business Use Blockchain for Cybersecurity?
In a word: no.
“Blockchain disrupts everything … or does it?” Even IT pros can’t decide how they feel about blockchain (Source)
Below are a few of the main reasons why you shouldn’t jump to invest in blockchain immediately.
1. Blockchain isn’t ready yet
There are a lot of ideas out there but very few proven instances where blockchain has been successfully used to meet business’s cybersecurity needs at scale.
In a lot of cases, using a proposed blockchain solution for cybersecurity is either impractical or impossible.
On one end of the spectrum, a quick Google search of “blockchain for cybersecurity” will bring up many mentions of “ongoing projects” and organizations that have published papers on how blockchain would enhance security, at least in theory.
On the other end of the spectrum, you’ll find companies that have created solutions for enterprise-level businesses that don’t have the needs of small or midsize businesses in mind.
2. Blockchain for cybersecurity might not be compliant with certain IT regulations
Blockchain is still a relatively new technology, and Gartner is quick to mention that, since people don’t quite understand blockchain, “it doesn’t have the same level of clarity of oversight or auditability that traditional systems do.” (Full research available for Gartner clients.)
Especially with new data compliance rules such as GDPR going into effect, the cost of enforcing compliance—especially within an intricate, complicated system such as blockchain—could be astronomical, especially for smaller businesses.
3. Blockchain-based cybersecurity may not be more secure
Although blockchain was developed with security in mind, it’s not inherently more secure than traditional cybersecurity methods, especially since it hasn’t been proven to be scalable for different businesses and industries.
Part of this is that blockchain is new, and business are still trying to figure out how to use it to their advantage.
However, newness was an advantage blockchain had that it’s now losing. As blockchain becomes more prevalent in the digital sphere, more people will understand how it works, including cybercriminals. Already, hackers are attempting to undermine blockchain security by accessing it through “ancillary systems” such as operating systems, as was the case when a hacker stole $31 million of Ether, a cryptocurrency.
As cybersecurity methods evolve, so will cybercrime. That’s not to say that you shouldn’t use blockchain because it will eventually get hacked. It’s just a reminder that nothing is ever fully secure, even when it’s sold to you as such.
Keep Your Eye on Blockchain for Cybersecurity
Though you shouldn’t start applying blockchain to your cybersecurity strategies right away, you should keep track of where blockchain for cybersecurity is heading.
If you followed my advice from last week to form a “blockchain committee” made up of IT and business development employees, I’d suggest bringing blockchain-based cybersecurity initiatives to their attention.
If you can find ways to experiment with implementing blockchain-based cybersecurity strategies, I’d suggest that you give your committee permission to do so, as it could help your business familiarize itself with the technology enough to stay ahead of the competition.
Has your company experimented with blockchain-based cybersecurity initiatives? How did it work out? Let me know in the comments below!