Data Security by Process Design: The Next Step for IT and IP Protection
I was sitting next to a HoneyBadger Bitcoin employee on a plane a few months ago – he was moving forward their kiosk deployment across Canada and I was half asleep heading home from Seattle – and finally got an answer to a question I’d been wondering for a long time: How do those ‘in the know’ secure their wallet numbers and passwords when everything is hackable?
His answer: pen, paper, safety deposit box. I’m not sure what I was expecting, but that certainly wasn’t it.
That message, in context with last week’s news that QuadrigaCX has now forever lost access to ‘cold wallets’ worth over $160 million – and the record $865 million dollars worth of coins stolen from exchanges around the world in 2018 alone, now makes a little more sense.
Pen, paper, safety deposit box indeed.
Electronic thieves have innovated. Clever phishing emails, fake websites and spoofed email addresses (many of you have seen them I’m sure) have taken over the ‘<insert foreign country here> prince’ emails. Faked wiring instructions from colleagues, fraudulent CRA phone calls and mysterious banking password verifications all seek to get through the IT infrastructure we’ve set up to protect ourselves with verified credentials. You don’t need a hack when you can convince targets to bring you behind the ‘silicon’ curtain – or avoid it altogether. Even blockchain security can’t prevent a compromised user from making changes to secure data.
Unlike an IT hack – a failure of your infrastructure to withstand attack – we are countering a new and different threat: a digital version of the failure of checks and balances that plague many businesses. Growth – especially in small, founder-led businesses – doesn’t often permit the vigilance of enforcement required to prevent financial ‘leakages’ (to use my colleague Salima’s favorite term). Founders need to sell, sell and sell again. Even with expense trackers like Expensify and small business back-office apps like (the rather brilliant, Edmonton-based Jobber), there remains gaps in our ability to provide the requisite checks and balances that will keep our money safe from phantom bills or instructions.
Our solution – the best solution (though we may be biased) – is to fill the gap between costs and approvals by cementing your checks and balances digitally. A strong document management system (we use MFiles – it does this seamlessly) can build processes that manage file interactions – necessitating approvals, ensuring completeness, and protect against versioning errors – that mirror the numerous processes you already use to operate your business. We will also evaluate your processes with you to ensure that those that we are recreating accomplish the security tasks they are meant to.
That said, with or without us, I would implore you to protect your critical processes. Create a strict, two-stage process – both verbal and electronic – on how wire transfers, cheques over a certain amount, payment orders and confirmations, how users’ passwords get changed and updated and the digital permissions required for your employees access secure data. Ensure that passwords are changed at the very least biannually (the more the better, but people absolutely hate this I recognize). And, most importantly, keep a data trail – in some way – of these processes. The more automated and unbiased the better.
And, though it still amazes me that this is still important, ensure that mission critical server, administrator or data vault passwords are written by hand, on pen and paper, and put in a secure area somewhere. Digital records can be hacked. Pen and paper still cannot. QuadrigaCX showed the vulnerability of concentrating this knowledge in a single person. You may not be comfortable providing this information to multiple people.
The world may be changing but pen, paper and a good safety deposit box still have their uses after all.