As cryptocurrencies and non-fungible tokens (NFTs) become a more common part of organizations assets and transactions, cybercriminals are increasingly turning their attention to how they can target them. In the last few years alone, HedgewithCrypto.com1 reported a marked uptick in successful attacks on crypto exchanges, bringing the total amount stolen since 2012​ to a $2.72 billion.

For those impacted, the ramifications of these breaches are profound and long-lasting – financially, operationally and reputationally. Meanwhile, a lack of regulation and insurance in the industry continues to limit their ability to recover any assets lost.

Look Beyond Your Hardware

Often, organizations’ response to this threat is to focus on the actual technology involved in accessing, managing and transacting their digital assets. Yet, while undoubtedly important, device theft, slaving and shoulder surfing or direct observation techniques, continue to pose a threat. We also continue to see attacks that are predicated, not just on susceptible hardware and technology protocols, but on unsecured hot (online) wallets.

Attacks can also be orchestrated against blockchain applications and smart contracts. For example, a re-entrancy attack is an attack in which hackers continuously make withdrawal requests against a vulnerable smart contract until they drain the entire amount allocated to it.

Another risk related to blockchain technology is called double-spending. The most common occurrence of this is when a miner controls 51% of the computing resources, according to Investopedia.com. This would allow the attacker to control the consensus mechanism which would potentially allow the perpetrator to validate transactions, create blocks and award additional digital assets. While these attacks exist and the associated risks need proper mitigation, attackers commonly steal digital assets by compromising the private key of a user’s or organization’s digital asset wallet.

Criminals seek to hack a digital asset owner’s account containing their private keys which, in turn, gives them access to their funds, transactions, NFTs and other digital assets. Such attacks can take a variety of forms too, ranging from social engineering and phishing scams to malware, ransomware and fake digital wallet applications.

Five Ways To Stay Secure in the New Digital Age

Therefore, it is vital that organizations understand that the threat to their digital assets can come from every area of their system and application environment – then develop a defense in depth strategy to match.

Some of this comes down to basic cybersecurity hygiene, such as having a cybersecurity assessment and plan, proper device management, multifactor authentication, and the avoidance of public and/or unsecured wireless networks. We offer five more advanced defensive techniques that can help keep your digital assets out of the hands of attackers.

  1. Create an Offline ‘Cold Wallet’
    A cold wallet allows you to securely store cryptocurrencies and NFTs without being connected to the internet. The creation and storage of your private keys also happens offline, making it very difficult for hackers to remotely access them. This cold wallet – often a USB drive or piece of paper printed from a digital wallet application with the contents of the private key– should be kept far from any networked device in a fireproof safe, safety deposit box or some other offline, secure location.
  2. Segregate and Monitor Your Assets
    Rather than housing all your digital assets in one place, split them up across different accounts. Some should be accessible in a couple of clicks for day-to-day transactions, with the more significant part of your funds securely stored offline elsewhere. That way, if one of your private keys is compromised, not all your assets are at risk. Conduct regular balance and transaction checks, as this helps guard against scams.
  3. Stick To Trusted Devices and Networks
    Make sure you only use trusted devices and networks to access and transact your digital assets, such as encrypted VPNs, your own computer with strong malware protection, or a reputable digital assets exchange. You can also use a hash-based verification on applications, which is one-way mathematical hash to verify application integrity from the developers. This process compares the application’s executable to the original one provided by its developers, thereby confirming whether it is legitimate and free from tampering.
  4. Enforce Blockchain Specific Security and Controls
    Ensure everything from your logical access and change management protocols to your physical hardware and backup operations are designed properly to safeguard the integrity of your blockchain. You should also consider a zero-trust security architecture, including strong access controls and authentication, least privilege access roles, clear system segmentation, strong application and system security, and robust logging and detection capabilities in addition to secure consensus mechanisms for blockchain transactions. Any controls used to identify, detect, protect and respond to blockchain threats must also be precisely aligned to the type of digital assets you hold and transact.
  5. Manage Risk Inside and Outside Your Organization
    You may have all the necessary internal security architecture in place, but your organization’s digital assets could still be vulnerable if any third parties interacting with your system are less protected. Talk to your vendors, suppliers and other integrated third parties about their risk management, security and IT governance protocols and adhere them to your organization’s culture of security.

Cherry Bekaert Can Help Bolster Your Defense

Of course, the exact nature of every organization’s cyber defense and in-depth digital asset strategy will (and should) be different and tailored to its own internal systems, operating environment, and the types of digital assets it holds and transacts.

However, what is true across the board is that the threat is real, complex, and growing. It is therefore vital to fully understand what is at stake and then invest the necessary time, energy, resources, and attention to mitigate the risks and keep your digital assets secure.

How can Cherry Bekaert support your cybersecurity planning, risk mitigation and breach response? For more information about the different types of threats to your digital assets and how to safeguard against attacks or threats to your data and systems, contact Cherry Bekaert’s Information Assurance & Cybersecurity practice or your Cherry Bekaert advisor.

Additional Resource:
Small Firm Philosophy podcast, produced by the AICPA’s Private Companies Practice Section (PCPS) in partnership with the Journal of Accountancy podcast

1 “Cryptocurrency Exchange Hacks (Updated List For 2023)” – https://www.hedgewithcrypto.com/cryptocurrency-exchange-hacks/

Steven J. Ursillo, Jr.

Information Assurance & Cybersecurity

Partner, Cherry Bekaert LLP
Partner, Cherry Bekaert Advisory LLC

Contributor

Steven J. Ursillo, Jr.

Information Assurance & Cybersecurity

Partner, Cherry Bekaert LLP
Partner, Cherry Bekaert Advisory LLC