February 14, 2019 by Siobhan Climer
Story Update: March 9, 2019 at 10:57 a.m.
In the interest of posterity, we are providing a brief update to this story. Check out the complete Part Two here – Quadriga Crypto Mystery Deepens: Unlocked Wallets Empty.
Upon gaining access to the cold storage wallets, the audit firm Ernst & Young found the wallets had been emptied in April 2018, months before Cotten’s death, according to reporting by NPR.
“Three may keep a secret, if two of them are dead.”
– Benjamin Franklin, Poor Richard’s Almanack
Secrets have an enticing power to them. From school kids whispering on the playground to codes, mysteries, and undercover agents, secrets are a part of our human experience.
Unfortunately, there is a risk in secret-keeping, as Canadian crypto exchange QuadrigaCX discovered in December 2018. The company’s 30-year-old founder and only individual with the passwords for the company’s crypto “cold storage”, Gerald Cotton, died unexpectedly while in India, taking the passwords – and the $190 Million bitcoin they protected – with him.
Are Secrets A Cybersecurity Strategy? Learning From QuadrigaCX
We could spend hours talking about cybersecurity myths and misconceptions. According to a recent interview with certified ethical hacker Mishaal Khan, most organizations fall into two categories: those who think they’re already 100% secure and those who don’t care. Regardless, the easy first step most businesses take to be secure is to secure access to their data.
And it’s true. Securing access to your data is one important step in a security architecture. But part of a hardened security posture also includes ensuring business continuity, and that’s where the QuadrigaCX security architecture failed.
While the platform follows industry best practices – there is no governing body that provides oversight to the cryptocurrency industry, according to the sworn affidavit provided by Cotton’s widow, Jennifer Robertson – the layering of security failed to enable a technological solution for continuity. In the end, the security of somewhere around $190,000,000.000 was protected by a single individual in the human layer.
Secrets can, apparently, be quite expensive.
Mishaal Khan is hosting an upcoming event – Get Hacked! Cybersecurity From A Hacker’s Perspective – on March 7, 2019 in Oak Brook, IL. Join him there to learn about what’s trending in cybersecurity today.
A Better Solution: Layered Asset-Based Security
When it comes to developing a cybersecurity plan for your business, the best approach remains using a layered security architecture that deals with the before, during, and after of a cyber attack – though it is important to note that security doesn’t just deal with criminals, but also the errors and misconceptions that lead to business loss.
Each layer may individually be quite weak, but together these layers provide a deterrence to malicious entities. Enabling protections in the network layer, the human layer, the DNS layer – all of these together help to support a defensive security architecture.
The key is to start with what matters most to your business. Protect that first. Cotten was right to ensure that access to the cold storage where most of the financial assets of QuadrigaCX were kept was limited.
Unfortunately for those left behind, that security has come at quite a price. With a security partner, QuadrigaCX could have continued to protect financial assets and client data while also ensuring business continuity. Whether through multi-factor authentication or a layered access approach, there is something to be learned from this example.
Can You Ensure Continuity And Keep Cybersecurity Secrets?
Even password managers, like LastPass, suggest creating a “digital will” for your passwords, saying anyone with a significant online presence – including businesses – should have a policy that manages the passwords and account details or every online account, from social media to financial transactions and everything in between.
Companies like PassMyWill, a free service, coordinates with social media accounts like Facebook and Twitter to respond to a death and initiate a digital passing of your account details to validated parties you previously selected.
This may work for your personal accounts, but how do you ensure the security of the business accounts your organization relies on every day? Are you prepared if your social media manager or IT director were to leave you without access to your accounts tomorrow?
Creating a hardened security posture is not as straightforward as using 50-character complex passwords for your accounts. The data you own is only valuable if you can access it. Working with security experts ensures your organization has a broad cybersecurity strategy so that, even in the worst of times, your secrets are safe – and accessible.
Want to have a quick (free!) chat about your security architecture and see if Mindsight can help you reach your goals? Join us for our weekly Whiteboard Wednesdays to talk through your security objectives.
Like what you read?
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
About The Author
Siobhan Climer, Science and Technology Writer for Mindsight, writes about technology trends in education, healthcare, and business. She previously taught STEM programs in elementary classrooms and museums, and writes extensively about cybersecurity, disaster recovery, cloud services, backups, data storage, network infrastructure, and the contact center. When she’s not writing tech, she’s writing fantasy, gardening, and exploring the world with her twin two-year old daughters. Find her on twitter @techtalksio.