By: Daron Hartvigsen, Managing Director, StoneTurn and Luke Tenery, Partner, StoneTurn
When insider threat or insider risk is discussed in a corporate context, often the relevant topics include misconduct, fraud, misuse, or even the idea that insiders can be unwitting accomplices to social engineering exploitation. The recent slowing of the US economy and volatility in the digital asset market have surfaced some less talked about aspects of insider risk that companies should consider.
Security: Often a Single Point of Failure
Whether it’s cryptocurrency, social media, or software engineering, it commonly occurs in startups and new innovations that a very small cadre of individuals propel the entire endeavor forward. Unfortunately, it often happens that these early leaders retain critical information about the project (design, developments, infrastructure, technology) in one location: their own brains. If this information is not properly documented and accessible, it can prove catastrophic if a key individual departs or is unavailable when something fails. Cue the chaos that can ensue.
As an example, StoneTurn has worked with very successful companies who operate IT systems supporting the storage, exchange, and/or trading of digital assets. Unfortunately, we often find these companies rely on infrastructure built by early innovators who fielded systems without the knowledge, funding, or motivation to build a more secure and redundant platform. When the Crypto “winter” hit in late 2022 and prices plunged, it was not surprising to see allegations of unauthorized and untraceable theft of digital assets from companies who laid off some of the very employees responsible for the IT systems that experienced the theft.
In some cases, the employees understood critical logging gaps or had oversight of the security measures intended to thwart unauthorized internal activity, and thus were able to exploit them. Initial build strategies for some players in the digital asset ecosystem focused solely on investing in protections from unauthorized external access, client fraud, or defenses from other external threats. Investment in internal access control, auditing, and logging are often seen as secondary risks. As a result, policies and protocols insufficient to prevent or detect insider risk are implemented and only become a priority when there is a loss or impactful security event.
Intellectual Property/Institutional Knowledge: Can Disappear Overnight
Companies that build a new product from the ground-up and rely on infrastructure built by a small team of innovators often do not plan for the eventual departure of that talent.
We have worked on more than one case where an entity worth more than $100 million USD relied on ONE person’s institutional knowledge to keep things going. When that situation goes bad, investigators like StoneTurn are called to understand what happened. What are the impacts to the core production environment when the person who built it and maintains it is laid off or quits? The short answer: it could be significant if redundancy in knowledge was not planned for. But it can go much deeper.
During the latter stages of 2022 we worked with clients who did lay off staff and downsize teams, and as a result created environments where the company’s ability to support key technologies just disappeared, essentially overnight. As headlines have indicated, this trend has carried over into 2023, with entities large and small across sectors continuing to make cuts in staffing. While a large company may be able to fill in the gaps, for a smaller digital asset exchange, the departure of foundational technical staff could cause a much more significant disruption. Getting ahead of these disruptions is critical and companies can do many things to defend themselves from disappearing institutional knowledge. Those defenses need to be implemented early and built into engineering, security, and growth plans.
Bottom Line: Plan to Protect
Building a business off a great idea, maturing that idea into a product, and serving the market successfully are key goals many innovators reach for and something that is celebrated in the business ecosystem. Today, however, building a successful technology-enabled business must include a much broader set of goals to avoid common pitfalls.
- Plan to protect intellectual property and institutional knowledge from the beginning.
- While building out IT infrastructure, it is wise to secure what is valuable from day one and to do so with an eye to both external and internal risk.
- Test controls and protocols frequently to ensure they are not circumvented, whether maliciously or for sake of perceived “efficiency.”
For today’s leaders, the end goal must change: Build a secure business off a great idea and plan to secure the IP associated with that idea right away. Mature the idea into a secure product with redundancies that defend against a single point of failure. By doing so, organizations can better serve the market successfully by securing fundamental business and client information in the long-term.
###
About Daron Hartvigsen
Daron Hartvigsen, Managing Director with StoneTurn, is a cyber threat response and pursuit expert having served both commercial and U.S. government information security domains. He brings a combined nearly 30 years of experience in commercial, U.S. intelligence, counter-intelligence, and law enforcement, and has conducted incident response, cyber threat pursuit, law enforcement investigations, counterintelligence operations, intelligence analysis, and cyber threat degradation activities.
About Luke Tenery
Luke Tenery brings over 20 years of experience helping leading organizations mitigate complex cybersecurity, data privacy, and digital risks. He applies expertise in cyber investigations, threat intelligence, incident response, and information risk management to assist clients—from prevention to detection, mitigation through to remediation and transformation.
Luke specializes in situational cyber risks, including assisting public companies and their Boards in addressing digital risks and remediation of complex cyber incidents. Luke has also advised on cyber issues at the intersection of risk and compliance, as well as those related to financial fraud and data integrity.