FTX is a great business case study

FTX is a "great" business case study and a "great" information security case study.

FTX was valued at $32B. It once managed $719B in crypto and had over 1 million users. Yet, they ignored the basics on virtually every security front.

Here are 6 takeaways from the 39-page control report FTX debtors released earlier this week:

1. Governance - FTX did not have any dedicated cyber personnel and no process for assessing cyber risk, implementing security controls, or responding to potential cyber incidents.

2.  Identity and Access Management - No use of least privilege, no enforcement of MFA on critical systems including Google Workspace and 1Password (even when SBF stressed the importance of MFA on Twitter), and no use of Single-Sign On.

3. Cloud Security - cloud infrastructure and accounts were shared across various corporate entities and no cloud security monitoring or threat detection was in place.

4. Device Security - Employees were able to use personal devices with no corporate security controls.

5. Application Security - There was no focus on continuous security testing. Certain passwords, API keys, and private keys were stored unencrypted.

6. Technical Security - Crypto assets were stored in wallets far more susceptible to takeover.

The culture of control failure extended beyond information security to management and finance and accounting.

-End