How's that feel for committing a crime without knowing it ?
As you read this, I hope you had a wonderful new year holiday. It is the time to relax, spend time with your family and loved ones, and get refreshed and ready for the new year. This year, I had a surprise for my son – I took my family to a camping trip! As ordinary as it may sound, but for us Hongkongers, camping in the wild is still a thing. Though it was not exactly a camp in the wild as it was a privately owned facility in a remote island in Hong Kong called Cheung Chau. We camped along with 200 people, mostly boy scouts, for the Christmas night. It was fun and perfect for those who want to enjoy outdoor camping but without a risk. During our stay, we did what most tourists do in Cheung Chau – ride a bicycle, or I should say, a tricycle! Like many, the strongest in the family takes the wheels (yours truly!) and navigates thru the small alleys of the island while the rest of the family enjoys the scenery, in the backseat! It is fun and a great way to see the island from east to west.
On our way back to the city, as we took the ferry, a public announcement video by the police caught my attention. I bet not many would have paid attention to the video, as more than half of the passengers aboard the ferry were already asleep and the remaining passengers would not have cared less as the video looked quite dated. However, what got my attention was the mention in the video that said that it is unlawful to carry passengers using bicycles and tricycles in Cheung Chau and even Hong Kong, to be sure. What? That means I literally just broke the law carrying my family on a tricycle, and so did hundreds of other people who rode tricycles on the island.
Partner-in-crime
I did some research and realized that it is indeed unlawful in Hong Kong to carry passengers using bicycles. For tricycles, it is allowed to carry passengers, but only in specific areas and not applicable to Cheung Chau! On an average, around 200 to 300 “traffic tickets” are issued every year with a maximum penalty of HKD 2000.
Also, I always thought that tricycles are safe and there is no reason to be worried, but I was wrong. There was a tricycle accident reported in 2010, where a 9-year old, riding a tricycle, hit the fence of the Cheung Chau island and overturned, causing serious injury to a 59-year old passenger he was carrying in the backseat.
So the risk is real and the law and regulations are legitimate. But the question is – is it enforced effectively? Or like what happened, I became aware of the law only after we were leaving the island. And most likely, I’ll again ride a tricycle the next time I come, unless I remember the rules or I’m willing to take the risk.
In order to enforce the law effectively, does everything depend on educating and penalising the visitors? What about the tricycle rental shops? Shouldn’t authorities penalise those tricycle rentals shops along with tricycle riders? They are also a partner-in-crime for providing the tool.
Why didn’t you tell me earlier? It is your fault!
All this reminds me of the daily life of a security practitioner, who has a long list of IT security policies to reduce risk, if and only if, they are enforced effectively. Far too often, these security policies are buried in the new hire employee handbook or hidden in the security awareness posters in the pantry or the lift lobby which no one would pay attention to anyway? It is like the police video on the ferry that I saw, where people only see the warning message after they have violated the security policy.
As such, people either choose to ignore warning messages or have a habit of saying “why didn’t you tell me earlier? It is your fault!”. The tricycle story reminds me of the data storage device, USB flash drive– the most notable security loophole in a modern enterprise. Many enterprises have banned USB flash drives just like the tricycles in Cheung Chau, but is it really so? Like all the merchants in Cheung Chau who would argue that a tricycle-ban is bad for tourism; enterprise users would argue that it is necessary to share files with people for work or even for a regular backup, in the light of rising ransomware attacks.
No wonder more and more enterprises these days are moving away from the traditional lock-down approach. But as a security practitioner, how can we mitigate the risk once the flood gate is open? Is there something in between YES and NO? Security should not be all or nothing, isn’t it? The good news is, there are plenty of technologies available today which can address the security gaps exposed by flash drives and many others. From hardware encrypted removable media to data loss prevention which prevents sensitive and regulatory data from being copied to a flash drive. In the case of the tricycle, may be the focus should not be limited to just education and enforcement but also on how to secure the tricycle so that people can enjoy the ride safely. In the age of digital transformation, technology is here to help, enabling people to do more and that too securely.
Be predictive, not reactive
Obviously, new solutions also bring new problems. In any enterprise today, out of tens and thousands of files copied to flash drives or uploaded to the cloud every day, many of them are sensitive and critical. But how can we know if someone is copying or uploading the file(s) for genuine business purpose or transferring the critical data with malicious intent? DLP Incident Managers all around the world are struggling every day, trying to see through all the security incidents in order to bubble up the riskiest one. Most of the time, incident managers are looking at a single incident which occurs in a particular moment in time, but how can we uncover the motive behind the action? The good news is, with advanced behavioral analytics capabilities integrated with data security, security practitioners can correlate incidents from each individual and prioritize risk based on the criticality of the data; creating a heat map of riskiest users and taking actions accordingly. Taking one step further, security policy can be automated and tightened for those who demonstrate a higher risk level and relaxed for those with a lower risk level. This way, security can truly be enabling by giving less risky employees more flexibility while being predictive to stop the bad before it is too late.