Did you miss a session from MetaBeat 2022? Head over to the on-demand library for all of our featured sessions here.
More industries are incorporating blockchain applications into their business, drawing the attention of threat actors — like the recent Axie attack, for example. As a result, many cybersecurity professionals are now finding they are responsible for securing blockchain systems. Unfortunately, even skilled cybersecurity professionals are ill-equipped to secure blockchain applications because it and other decentralized applications bring different risks and threat vectors that can only be mitigated through tailored controls.
Blockchain technology allows untrusted parties to agree on the state of data and applications securely, but that security guarantee is quite narrow. This means that many developers and users assume this security broadly applies to applications built on top of the blockchain. When in reality, that’s not the case. Whether it’s due to code mistakes, breaches or scams, both individuals and big corporations have lost significant amounts of money — in fact, scammers stole $14 billion worth of cryptocurrencies in 2021.
Failing out in the open
Threat actors gravitate toward the easiest targets with the most profit. As we approach a blockchain-reliant future, ensuring that developers and security professionals understand what it takes to secure applications on blockchain is paramount. Threat groups will continue to pivot as security frameworks evolve to better protect traditional assets. A prime example is ransomware groups, which have already adopted blockchain for payment. It is only a matter of time until they pivot their targets to Web3 as well.
In a public blockchain ecosystem, every new technology or application is developed and launched under full view. This brings many challenges, but is particularly painful when developers are also pressured to launch as quickly as possible. Developers used to spend years developing the product and planning for its launch. Now, this long-standing process does not align with our current reality, in which blockchain developers may ideate and launch a product over as little as a single weekend.
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
Today, many projects in the blockchain space are created by organizations without robust security programs, processes and controls that can withstand advanced threat actors. This leads to teams missing or misclassifying risk factors and gives businesses a false sense of security. Combining fast development and a lack of security talent, attackers are able to find easy targets.
Blockchain beyond Bitcoin
Blockchain spending is expected to reach 19 billion by 2024, so now is the time for organizations to adopt new technology. If implemented correctly, blockchain can offer increased transparency into operations and processes, making it highly sought after. Offerings touted by advocates include the tokenization of money flow, supply chain financing and the cross-border movement of money. However, it may be difficult for businesses to launch applications on the blockchain that ensure security is at the forefront of their technology.
A business that wants to implement new technology or processes needs the tools and team to successfully execute it. For instance, if a finance team is interested in implementing cloud-based software to streamline the payroll process, they hire a strong team with the knowledge and necessary skill set at their disposal to safely realize their goal.
Cloud security tooling and resources are now plentiful in our industry. However, if the same finance team from the example above looks to implement blockchain technology in their company payroll, they will have a harder time finding security and development tools and talent to ensure the product is safe. Adoption of blockchain is far outpacing available expertise. The challenge here is that security can easily become an afterthought if an organization doesn’t have a knowledgeable team dedicated to identify and mitigate threats.
Blockchain and your orgs’ security strategy
Organizations that adopt blockchain also need a security strategy to operate successfully. This includes finding cybersecurity professionals who are knowledgeable about the space. As many seasoned security professionals look at blockchain as a fad or unnecessary technology at best, this may be increasingly difficult.
It is challenging for traditional security experts to be excited about NFTs and cryptocurrency taking the blockchain community by storm. We are, of course, a risk-averse group in general. This then leads to a shortage of experienced security professionals in blockchain, even when investment is accelerating.
Instead of disregarding blockchain, security professionals can take a middle-of-the-road outlook on the future of the technology. Whether you believe it is the future or not, you can recognize there is a real impact to people and organizations when attacks happen. As for organizations without proper knowledge of blockchain security — you are launching without a safety net.
Ryan Spanier is vice president of innovation at Kudelski Security.