Confusion, ignorance, stupidity or fraud?

A lotta padlocks
By Tim Lord   |   February 8, 2019

Imagine what would happen if you lost your most important work password—and everything it protected—with no chance of retrieval. Your data? Just “poof”—gone! How much would it cost your company? What if it were well over $100 million? Because that’s what just happened to Canadian crypto-currency exchange QuadrigaCX with the apparent death of its CEO, Gerald Cotten. A high price to pay for poor security practices.

A sad lesson

It’s clear that no one in the company instituted proper Identity Governance Administration (IGA) practices. IGA technology and processes ensure that people have appropriate access to applications and systems, that the organization always knows who has access to what, how that access can be used, and whether that access conforms to policy.

Maybe the security team at QuadrigaCX just chose the wrong solution after reviewing the alternatives. It’s unfortunately too easy to get punch-drunk reading feature after feature and claim after claim from a shortlist of vendors. Here’s the pain point everyone missed: ensuring that no one person will ever have sole control over the key secrets or intellectual property of the organization.

(Aside: If the team at DeLaune & Associates were marketing an IGA solution, we’d make that one of the key bullets included in a benefits-driven messaging approach.)

What’s the password?

You’ve heard (or given) the advice many times: Keep passwords or passphrases strong, so they can’t be guessed or brute-forced. And keep them hidden, so they can’t be surreptitiously glanced at. Better yet, use a password manager. That means no simple passwords kept in a desk drawer that everyone knows about.

The QuadrigaCX story illustrates the flip side of those password-stewardship rules: Don’t put all your eggs in one basket. At least, not one guarded by passwords that can be irretrievably lost. According to Cotten’s widow, only he was able to access the underlying encryption protecting a huge tranche of tokens held by the exchange, and access to nearly $150 million in Bitcoin, Ethereum and other digital currency was simply lost.

Investors really need those files

Skeptics see the possibility of fraud in the QuadrigaCX story. But even the opportunity for fraud here stems from a misstep that others can avoid, and without waiting for a hundreds-of-millions-of-dollars risk to emerge: Make robust plans for data-access continuity, rather than rely on passwords alone.

A comprehensive system has to face the inevitable: Passwords alone make for a brittle system.

The security team at QuadrigaCX should’ve been focused on access based not just on individuals possessing the right passwords, but on the roles that people play in your organization. Passwords themselves may be an important part of an access system, but they should never be the only one. Employees retire or switch jobs, data is corrupted, passwords are compromised or simply forgotten, and hardware keys with elaborate passwords are lost.

Tighten your materials

If you’re a technology vendor in this space, do your materials communicate the basics? Website visitors want to understand what you do in short order. They have a pain that needs resolution, and hopefully you offer a remedy they can comprehend in 15 seconds. This value proposition should be backed by a link to a blog or a gated digital marketing asset that will convert the casual visitor into an unqualified lead.

At DeLaune, we’ve helped vendors explain the value of IGA and many other technologies to their customers by developing engaging digital marketing assets. Our benefit-driven messaging approach communicates and illustrates the value of your technology in a manner buyers readily understand.

Get started today.

Tim Lord

About the Author

Tim Lord is DeLaune's managing copy director. He favors open source everywhere, and serial commas.

Leave a Reply

Your email address will not be published. Required fields are marked *