By Silvia Arezzini, IT project manager at the Italian National Institute for Nuclear Physics
In this month dedicated to cybersecurity, I’m thinking a lot about the link between cybersecurity and privacy. Reflections and considerations that I’ll try to share!
I am an IT technologist and I have been working in the DPO (Data Protection Officer) team of an Italian Research Institution for some years now. However, privacy issues have caught my attention for a couple of decades… since in the early 2000s people really started talking about “privacy laws”.
Now I can no longer separate the thought of privacy from my life experience and I often feel this awareness as a second skin. An awareness that came slowly, after much reading and much reflection. An awareness that I feel the duty to disseminate and also to promote, so that people close to me can take less time and less effort to understand why it is so important.
Awareness, basically, means knowing that there are dangers around us, perhaps hidden behind harmless activities, and often spread by false securities. We all hear about cyber dangers… but it is important to understand (i.e. be aware) that these dangers are not far from us. On the opposite, they are often right next to us and we can take risks and become victims without even realizing it!
But how can we become more aware?
We all know that our lives have been transformed by the progressive transition to digital and that the traditional concept of “discretion” so close to the idea of privacy (practically a synonym) has in turn been transformed by enriching itself with different meanings.
Protecting your privacy still means making sure that news about us remains confidential, but the impressive growth in possible access to this news makes the security operation highly complex. The applications and social networks are just some of the sources of personal information concerning us.
Because our data are also located on the institutional databases of our employer, of our Council, our gym… and whenever these databases are not managed internally, the data also can end up in the clouds of companies dedicated to archiving data and the provision of services.
That’s why thinking about privacy means thinking about maintaining control over the flow of data concerning us.
And how to do it?
The first suggestion is to reflect before giving someone our personal data… and do it only if it’s really worth it and if we can trust people asking us the information. Unfortunately, it’s not easy to understand. All providers give indications (the information on the processing of personal data) but these indications are often too long and complex for a quick and at the same time careful reading… so let’s take the time, when possible, to read and perhaps reflect on the required information!
Let’s not forget to be “confidential” and therefore reduce the amount of personal information we provide on social networks as much as possible. Because even news about us that are apparently insignificant can instead reveal habits, behaviours, personal preferences, and facilitate illegal actions against us. Unwanted advertisements, for example, but also real criminal acts… because if we tell a lot about ourselves, unknown people could take advantage of it!
These first considerations introduce a reflection on a second aspect of awareness concerning the technical aspects related to the storage of our data and their protection once we have provided them. People working in the IT sector know that privacy and cybersecurity are closely linked. Only by creating a secure environment from an IT point of view, it’s possible to protect our data, especially personal data. Privacy therefore comes from cybersecurity! And as such it inherits a heavy burden: the human factor.
Because cybersecurity is not only made up of technical measures, but also of operating methods and rules of behaviour that we all must follow, not only in a formal way, but also by understanding their reasons and substance. Do not “click” on any link, especially if sent by e-mail from dubious addresses, follow the rules on passwords indicated by the IT infrastructure managers, immediately notify the IT division in case of anomalies in our files, perform periodic backups of our important data. They are all essential actions to reduce the risk.
Our actions, as aware users, who on one hand rely on specialists for the setup of the IT environment and its protection, but on the other actively collaborate to create a safe environment.
What about IT professionals?
They first of all need to be aware and need to promote awareness. Putting technical measures into practice is essential. And following cybersecurity frameworks in order not to forget important aspects is also very important! A well-structured environment designed to be protected runs less risk than a deconstructed environment, obvious isn’t it? We all know it, but making it isn’t easy. That’s why I mentioned cybersecurity frameworks: schemes and lists of actions and checks to be carried out systematically, studied by specialists and verified in the field.
And to better protect personal data?
Here my suggestion is not to forget the GDPR (General Data Protection Regulation) and its basic rules: data minimization (to request only strictly necessary personal data), privacy by design (to build infrastructures and choose applications having privacy as the goal from the design stage) and privacy by default (making sure that basic configurations are themselves equipped with data protection measures).
Clear enough then… A good level of organization is required to provide users with awareness that can become a shared asset… I’m sure of it! And paraphrasing a motto attributed to Seneca (Luck does not exist. There is a moment when talent meets opportunity), I would like to say that “Misfortune does not exist. There is a moment when poor organization meets bad guys…”
About the author
Silvia Arezzini works as a systems engineer and project manager in the Calculation Center of the INFN (Italian National Institute for Nuclear Physics), in the Pisa section. She collaborates in national INFN activities in the field of Authentication and Authorization infrastructures (INFN-AAI) and in the training sector with particular reference to e-learning methods. She deals with privacy and is one of the members of the INFN DPO team.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on dev.connect.geant.org/csm2022