Security Best Practices for Digital Asset Treasury (DAT) Companies

Digital Asset Treasury (DAT) companies specialize in holding cryptocurrencies and other digital assets. One example of a DAT is MicroStrategy, which is famous for its decision to hold large amounts of Bitcoin as its primary treasury asset. This allows the company to benefit from the price increases in cryptocurrencies, and investors can gain indirect exposure to crypto by buying shares in these companies.

However, holding digital assets like Bitcoin carries risk and can make an organization a target for cybercriminals. DAT companies should implement security best practices to ensure that their assets are properly protected against potential theft.

Weak access controls and account takeover attacks are common threats to digital asset security. If an attacker can steal a private key or trick someone into signing a malicious transaction, they can drain crypto from a company’s wallets.

Some best practices to enhance the security of on-chain accounts include:

• Governance Policies: DAT companies should have governance policies in place mandating processes for buying, selling, and trading cryptocurrencies. This should also include oversight of all transactions and recordkeeping to support transparency and compliance.

• Least Privilege Access: Overly powerful accounts are prime targets for cybercriminals who use their assigned privileges in their attacks. All accounts associated with crypto holdings should have least privilege access controls in place to minimize the threat that they pose to the business.

• Multi-Sig and MPC Wallets: Compromised private keys are a common cause of crypto hacks. Storing tokens in multi-sig or MPC wallets requires an attacker to steal multiple keys or trick several users to carry out their attacks.

• Hardware and Cold Wallets: The security of key storage is also important due to the threat of malware stealing private keys. Keys for all accounts should ideally be kept in hardware wallets.

• Key Backups: Lost keys can result in crypto assets being lost forever. Backup keys should be stored off-site and offline to protect against potential disasters.

• Key Custody: DAT companies may use a professional custody provider to secure and manage their private keys. Before doing so, they should complete due diligence to ensure that the provider has the policies and controls needed to properly protect the assets in their care. 

Cyberattacks targeting organizations with large crypto holdings are increasingly focused on backend infrastructure. Attackers might infect an employee’s computer with malware to steal private keys or deploy malicious versions of key software, a key element of the Bybit hack.

DAT companies need to implement traditional, Web 2 security best practices to address these potential risks. Best practices include:

• Endpoint Security: Computers should have antimalware installed to protect against attempts to steal keys or introduce malicious versions of software. Scans should be automated and run regularly, scanning all files on the system and new downloads.

• End-to-End Encryption: All communications related to crypto holdings should be encrypted end-to-end. This helps to protect against potential eavesdropping or malicious modifications.

• Network Security: Most cyberattacks occur over the network. Firewalls, network segmentation, and other network security best practices increase the ability to monitor traffic and block attacks.

• Ongoing Monitoring: Hacks in the crypto space often occur quickly and are irreversible once transactions are posted to the blockchain. Ongoing monitoring for suspicious and anomalous activity is essential to identify potential hacks before an attacker can execute malicious transactions.

• API Security: Wallet software and smart contracts may be linked to existing infrastructure via APIs. If this is the case, APIs should be implemented and secured in accordance with security best practices, such as the use of a web application and API protection (WAAP) solution.

Social engineering attacks, like phishing, are common everywhere, and this is especially true in the Web3 space. Cybercriminals have developed numerous scams and schemes to steal keys, deploy malware, and trick users into approving malicious transactions.

Some best practices that DAT companies can implement to help manage the human risk to their digital assets include:

• Employee Training: Social engineering attacks are designed to trick or coerce their targets. Training employees on common scams and how to handle them reduces the risk of them falling for them.

• Technical Controls: Teaching employees about phishing and other common social engineering tactics doesn’t guarantee success. Implementing technical controls, such as email scanning to identify phishing attacks, reduces the risk to the business.

• Separation of Duties: Social engineering attacks often rely on the target being able to independently take some action to advance the attacker’s goals. Breaking critical processes up to require actions by multiple parties increases the complexity of these attacks.

By investing in crypto, DAT companies face various security and compliance risks. Some best practices to help alleviate this exposure include the following:

• Security Audits: Security audits are often mandated for compliance and can reduce an organization’s risk exposure. Performing regular audits of both on-chain and off-chain infrastructure and systems reduces the threat of security incidents and regulatory non-compliance.

• Automated Monitoring: Automatically monitor all transactions performed on-chain. This can help to identify anomalous transactions that may indicate an attack and can support compliance efforts.

• Regulation Tracking: The Web3 regulatory landscape is extremely fragmented, as different countries go in different directions and may change policies rapidly. Monitoring potential and pending changes to regulations helps to ensure ongoing compliance.

Digital assets and cryptocurrencies are an appealing investment for many companies. Crypto is less coupled to fiat currencies than many other assets, enabling risk diversification. Additionally, Bitcoin’s price has grown significantly in recent years, demonstrating that it is a good investment.

However, directly holding crypto assets as part of a corporate treasury comes with various risks, ranging from security threats to compliance issues. DAT companies need to implement security controls and processes designed to manage these risks and protect against stolen crypto and legal suits.

Halborn offers consulting services designed to help DAT companies and other Web3 organizations implement security programs aligned with industry best practices and regulatory requirements. To learn more about how to protect your digital asset treasury from top threats, get in touch.