As the number of blockchain implementations continues to grow, internal auditors will need to learn about both the promise and risk this technology offers.
Consider the results of a 2017 survey by Juniper Research of approximately 400 executives with companies of at least 20,000 employees. More than half (57 percent) said their organizations were either actively considering or deploying blockchain technology.
So…what exactly is blockchain?
“Blockchain is a data structure,” says Ed Moyle, general manager and chief content officer with Prelude Institute, whose goal is to help un- and underemployed individuals find jobs within the security industry. The architecture behind the data structure “is able to self-reinforce the security and integrity of the network,” he says.
This explanation from IBM shows how a blockchain network can reinforce its own security and integrity:
Because a majority of network participants must agree before a new block of transactions can be added to a chain, the ease with which the blocks can be manipulated is reduced.
Among other benefits, blockchain networks can reduce the risks and inefficiencies inherent in paper-based accounting systems. They also can allow transactions to occur without third-party intermediaries like banks or credit card processors. This also can lower transaction costs.
A blockchain can be public or private. As you might guess, any party can participate in a public blockchain network. Participation in a private blockchain network, however, requires approval by an administrator. Windsor Holden, blockchain analyst with Juniper Research, predicts most companies will gravitate to private blockchain networks.
Behind Blockchain’s Popularity
About one-third of executives responding to a 2016 survey by Deloitte said their companies would face a competitive disadvantage if they failed to adopt the technology. About 25 percent said they believe blockchain will disrupt their industries.
Financial services firms were among the first to consider blockchain technology. Potential applications include record storage and the issuance and trading of stocks and bonds.
Blockchain deployments increasingly are found across industry sectors. “Asset tracking is another promising area for blockchain technology,” Holden says. For instance, some firms in the jewelry industry are turning to blockchain to track gemstones and precious metals and show they weren’t mined in conflict areas or with forced labor.
While blockchain technology holds great promise, internal auditors also need to consider the risk it poses.
One stems simply from the fact that blockchain has become such a buzzword, some organizations move forward with implementations before they identify how (and if) the technology might benefit them, Holden says.
Holden listed three situations in which an organization might benefit from a blockchain implementation:
- It needs transparency and clarity across its transactions.
- It currently depends on inefficient, paper-based systems.
- It deals with a high volume of transmitted information.
Rob Clyde is chair of ISACA, a professional group for individuals in information and cybersecurity, governance, assurance, risk and innovation; he’s also executive chair with White Cloud Security, Inc. Clyde identified several other instances in which a blockchain application may make sense. One occurs when an organization can’t turn to a trusted, central third party, like a bank, to verify transactions. This is why jewelry firms are using blockchain to verify the provenance of gemstones and precious metals.
Another is when multiple parties need an “immutable record,” such as a cybersecurity audit log, Clyde says. Blockchain can provide that.
If the above criteria don’t apply, blockchain may not address the challenges an organization faces.
While blockchain is highly secure, no system is invulnerable. Some areas of concern:
1. The Distributed Ledger
While this offers protection against rogue operators, if a group of people gained control of a majority of ledgers, the blockchain network could become vulnerable to what’s often referred to as “a 51 percent attack.” This occurs when one group or entity gains control of more than half the computing power of the blockchain network. They could issue transactions to harm the network or to keep legitimate transactions from proceeding. “Ask the developers how the system could be gamed,” Clyde says.
2. The Cryptography Solution Used
While not yet a risk, the steady growth of quantum computing, which eventually will be able to break certain types of cryptography, presents a concern. Clyde notes that while the risk is years away, blockchain networks are built to last for years. As a result, they should use quantum-safe cryptography, he adds.
3. The Information Stored
For instance, storing full transaction details presents a greater risk than storing “hashes,” or a string of numbers that refers to a transaction, but doesn’t include the transaction information itself, Holden says.
4. How Keys are Stored
The method by which keys are assigned and stored, and the integrity of the key management system says Ron Hale, Ph.D., vice president of cyber training, development, and policy for DarkMatter LLC, a cybersecurity consultancy based in Abu Dhabi. Users in a blockchain network have both a public and private key. The public key acts as their address on the network and verifies their digital signature; a private key is used to create the digital signature. Keys not in use should be stored on servers that are disconnected from the internet, and then moved to an internet-accessible server to initiate a transaction, Hale says.
The popularity of blockchain networks likely will continue to grow. Auditors whose organization are looking into this technology should learn as much as they can. “Get educated,” Moyle says. “Unpack what blockchain is and understand how it works.”