The Impact of Poor IT Controls: A Lesson from the FTX Collapse
Hayden Duffy - January 12, 2023
4 min read
Poor IT controls can have a devastating impact on businesses, as the recent collapse of FTX has shown. We recommend watching this video to understand the specific issues that led to the collapse of FTX from an IT perspective. We will highlight the necessity of doing things correctly as early as possible; immature security practices and dated IT systems are a liability at best.
Many of the problems that led to the collapse of FTX are not unique to this company; we've seen many first-hand. It is crucial that IT professionals take note of these issues and take steps to ensure that their own companies do not suffer similar fate.
The table below summarizes some of the key issues that led to the collapse of FTX, and provides practical solutions to prevent them from happening in your own business.
| Problem | Fix |
|---|---|
| Failure to implement necessary systems and controls to ensure secure access to data. | We recommend documenting & reevaluating processes consistently, and ensuring you have controls in place to protect the data you hold. These controls should be tailored to the company's specific needs and should be regularly monitored and updated as needed. |
| Individuals in Senior Management had unrestricted access to systems that stored customers assets without security controls. | Use single identity and device management software to integrate deeply into your business systems. Utilise SSO login that many cloud-based software vendors such as Okta provide. The ideal solution is to have fully integrated role-based access to systems led by a HRIS tool. In simple terms; only those who require access to systems have access. This will prevent inappropriate access to customer assets & maintain brand integrity. |
| Misuse or lack of secure private keys. | Security keys are passwords giving access to systems. Not securing them has apparent consequences. Make use of a tool such as 1Password to securely store private keys, passwords and any other confidential data. Ensure that any shared data is well documented and access logs are stored for review. While it doesn’t sound fun, auditing access controls & event logs every quarter ensures all data is protected. |
| A lack of documentation across departments. | When things go wrong and there is no documentation to assist with diagnosis, you’re driving in the dark. When systems are integrated with each other, there is a greater chance that systems will fail in a cascading fashion. Documentation allows you to analyse and remediate systems & processes quickly without spending weeks doing reverse engineering work. Establish auditing protocols, and regular reporting to improve transparency and accountability of business decisions. |
| Lack of risk management processes. | Implement proper risk management processes to identify, evaluate and mitigate potential risks. This should include conducting regular risk assessments, setting up appropriate controls & safeguards to prevent or minimise the impact of risks, and having a well-defined incident response plan to quickly and effectively address any risks that materialize. Additionally, it is important to have an independent body or team to oversee the risk management process and report to management. The lack of risk management processes poses a greater chance of risks materialising and causing harm to the organisation and its stakeholders, so it is crucial to prioritise the implementation of effective risk management practices. |
There is a lot to be learned from the events leading to the demise of FTX; poor IT practices can have serious consequences. When companies experience massive growth in relatively short periods of time, processes & best practices suffer. While we never recommend over engineering your business with countless pages of process, you hold a responsibility to your stakeholders, customers & peers to mature the way you handle business.
It is crucial that businesses take proactive steps to address these issues, rather than waiting for a crisis to occur. Reactivity creates stress, knowledge gaps and kills brand trust.
haloSync offers a lean way for companies to become secure & compliant in an incredibly efficient manner. We can build role-based security into your systems, enforce device updates, protect assets from malicious use and automate the administration of a wide range of information systems available today on the market.
Don't sink, Sync.