There’s an organization where children of employees have to sign nondisclosure agreements before attending company parties—the only exception is for kids who haven’t yet learned to write—and where a parent had to explain to his 8-year-old that she couldn’t exchange Pokémon with friends because the boss forbids her from connecting her Nintendo Switch to the internet. When he goes to work, that same father has to leave his made-to-order suit, luxury French watch, and classy leather shoes in the closet, donning a $9 Uniqlo T-shirt and jeans to blend in with the crowd near the office.
This organization isn’t an underground criminal group or an intelligence agency—it’s Payward Inc., the San Francisco-based company established in 2011 to operate the cryptocurrency exchange Kraken, which investors now value at $10 billion. Nick Percoco, the company’s lushly bearded chief security officer, says ransomware attacks often start with cybercriminals digging up personal information about employees online and using it to tailor phishing emails containing malicious software. So he’s set out to install a company culture of vigilance—some would say paranoia—about guarding personal information. “Security has become part of our culture in a way that I don’t even have to say it much anymore,” says Percoco, a 25-year cybersecurity veteran. “I feel it.”
Payward’s guiding principle is that a lax security mindset in one’s private life bleeds over to work. New Payward employees spend two days in security classes, then three days setting up office PCs and passwords. Then there’s a week to go over a 70-item checklist of recommended personal security measures, including setting up hardware token login authentication for personal devices, installing alarms and surveillance cameras at home, and closing social networking accounts.
After the initiation, employees are prohibited from using public USB charging ports, identifying themselves as Kraken workers, or sharing the location of their offices with family members. The devices of any employee who downloads unusually large chunks of data, gains access to suspicious websites, or uses a phone in unusual ways are immediately locked down, followed by a call seeking explanation.
So far, Percoco says, Payward’s cybersecurity defenses haven’t been breached, even though crypto trading platforms are an attractive target for hackers and the company is regularly hit with hacking and phishing attacks.
Masanori Kusunoki, a director of the Japan Virtual and Crypto Assets Exchange Association, sees Payward’s measures as extreme but sensible. “It is surprising that a company is successfully implementing such strong measures to all the employees because people don’t like to spend that much of energy to cybersecurity,” he says.
Takeshi Chino, Payward’s Japan chief—and the one who has to commute in costume—can’t tell his wife the physical location of the office. He is one of the few executives the company has authorized to acknowledge publicly that he works at Payward, a privilege gained only after the security team audited all the information that could be gleaned about him by searching the public internet, dark web, and government records. Chino, 37, also supervised his 6-year old son as the boy signed his first NDA before attending a company event two years ago at an Italian restaurant.
“I heard from people that Kraken is crazy about security before I joined, and yes, it is really intense about it from Day 1,” Chino says in a video chat, where his background is completely black except for the company logo. “But that’s what it takes.”