Connect with us
blockchain cyber security blockchain cyber security

Companies

Blockchain and Cyber Security: the Equifax Episode

 7 min read / 

In sheer scale, the Equifax breach is small, impacting 143m people, when compared to other data breaches of the past year such as Yahoo’s 1bn user account violation. However, Avivah Litan, a fraud analyst at Gartner notes that Equifax’s hack is much more dangerous in terms of risk to the consumer. What makes this breach especially damaging is the type of data that was interdicted, the sensitivity rends the breach incomparably harmful and, in total, the credit card numbers for 209,000 consumers were stolen.

Blockchain as a Solution?

Blockchain’s composition lends itself well to cybersecurity. The very nature of how blockchain applications work means they are hard to hack and harder to corrupt; they are secure and tamper-proof by design. For starters, the distributed nature of Blockchain ledgers means that no single user will own the data (in a community project, for example) and that the data will be supported by several nodes in the company (where one company possesses all the data). For public projects, using blockchain technology to encrypt data and then storing such data on a cloud service not only means the data can be kept on your device, but any data stored on the cloud cannot be read by that platform. This removes the need for blind trust in third parties and makes it easier to keep your data safe. Moreover, blockchain transactions can be validated as they happen in real time without the need for later processing by human or software intermediaries.

As for attacks, hackers breach networks long before any actual damage takes place. Often, hackers will need to locate data, decrypt, exfiltrate data or damage systems and these activities can take some time to set up and execute effectively. Additionally, hackers need to cover their footprints and remove evidence of intrusion, which again increases the length of time it takes to execute an attack.

With blockchain, however, the distributed ledger system makes these type of attacks impossible. Any change on a node that alters the data or signature of the data can be identified and isolated from the network. If one node is changed, the other nodes can detect the disagreement and isolate it from the ledger network, thus alerting network administrators and cybersecurity personnel there has been an attempted hack. Further, the existence of identical nodes complicates altering information.

Harder to Hack

Not only could blockchain be extremely efficient in detecting attempted attacks, altering the data is also nearly impossible. The ledgers are practically incorruptible and even if one node is altered, it will not match and agree with other nodes in the network. This is further complicated when the network consists of multiple nodes, all validating transactions of data in real time. Furthermore, this provides a boost to anomaly detection, when data is transmitted, the information can be logged – from who, to whom, size, file type and so on. Any alteration or minuscule variation can be detected as it will not comply with established parameters.

Compromising data becomes a gargantuan task when financial information is stored across a network of computers. Breaching one server is not enough; attempts to commit fraud, falsify information and change entries requires a majority of the network to be altered. Moreover, each node updates in real time, requiring the attack to change the majority of nodes simultaneously. The combination of the peer to peer nature, the number of nodes, the network infrastructure and changing cyber security protocols and operating in a distributed, 24/7 manner make the platform operationally resilient.

Limitations

Despite Bitcoin’s seemingly perfect fit to protecting sensitive data, there are still limitations to the platform. Whilst hackers might not be able to compromise the blockchain itself, damage can still be done to the underlying systems. A DDoS attack to deny service can still interrupt processes, essentially rendering any network inoperable for the period of attack. Whilst the data will be safe, the network cannot continue to operate, meaning further changes to the ledger could be compromised.

Moreover, the attacks are not just limited to the blockchain portion of the infrastructure, should the company operate AI or use IoT technology, DDoS attacks could disrupt those systems by, for example, interrupting manufacturing processes by AI bots on a factory floor. As a result, the blockchain system would still be vulnerable to the inoperability of the technology that it underpins.

Harder Punishments

A key tool in combating cyber attacks is ensuring that a company’s cyber infrastructure is secure. Thus, it is necessary to regulate the minimum commitment to securing their networks to both protect themselves, other entities and their clients. Fundamentally, therefore, the law presents a powerful opportunity to set high standards and diminish the scope of power available to attackers. Certainly, the law will heed to technological advancements in the future but, by having a standard of cyber security that firms must adhere to, one can significantly reduce the risk of successful hacks.

Wharton professor, Gad Allon, opines that the technology in itself is not enough and rather governments must engage with tougher cybersecurity standards and encourage companies to adopt better practices through creating regulation designed to espouse cyber security principles. “The penalty for firms has to be heavier. We should also have specific regulations about who has the liability in these cases and how quickly firms should admit [they have been hacked],” Allon said, adding “We see more and more situations where firms only acknowledge these things months after they happen.… This is why people have to go to jail for these things.”

According to Suchitra Nair, Director at Deloitte U.K.’s Risk Advisory practice, “Operational resilience of the blockchain will be a key focus area for regulators and will need to be rigorously tested and evidenced by the firm to gain regulatory assurance.” The requirement to comply with cyber standards will be a key power of the law, hopefully shifting security to a key topic for consideration by CEOs and boards. One such legislative tool is the EU General Data Protection Regulation (GDPR).

The EU GDPR aims to reflect the exponential growth of personal data processing as the internet services continue to develop. Further, the regulation aims to put individuals in control of their data, instating strict conditions over consent for data to be captured and stored. This creates new obligations in areas such as data anonymisation, compulsory breach notifications and the appointment of Data Protection Officers, requiring organisations handling EU citizens’ data to make major changes in the way they operate. Comparatively, companies wanting to conduct business in Europe, either directly themselves or indirectly through a European subsidiary, will have to comply with certain standards. Thus this regulation has the potential to reach beyond the member states.

On the penalty issue, this regulation includes the appointment of dedicated Data Protection Officers within companies and the requirement to notify relevant authorities of a breach within 72 hours of becoming aware of it. Furthermore, non-compliance with the regulation could cost up to 4% of a company’s annual turnover or €20m, whichever is higher. As such, this figure is both eye-watering and attention-grabbing and is certain to not go unnoticed among executive-level decision makers.

Final Thoughts

The high level of dependency on technology, data and soon AI, mandates that companies adapt and adopt security protocols to protect themselves and their business partners, consumers and stakeholders. New business models and revenue streams have been facilitated by greater internet connectivity but with this “comes new gaps and opportunities for cyber attackers to exploit.” Ed Powers, Deloitte’s U.S. Cyber Risk Lead, states that “while still nascent, there is promising innovation in blockchain towards helping enterprises tackle immutable cyber risk challenges such as digital identities and maintaining data integrity.”

Certainly, no cybersecurity defence is 100% impregnable, blockchain may present today’s companies with a better option.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Continue Reading

Send this to a friend