Cybersecurity and privacy: two major social challenges

By David Megías, researcher of IN3’s KISON research group.

The digitization of society is advancing at an accelerated pace, increasingly embracing more and more areas of human activity. The COVID-19 pandemic has not been limited solely to the health and economic crises that were the subject of last year’s headlines, but has also served to catalyse the digital transformation of society in a way that would have been unthinkable just days before the advent of the lockdowns.

This situation has forced thousands of organizations around the world to move their activities to the Internet immediately and without the possibility of preparing a graceful transition to this new reality. In this context, cybersecurity and information privacy are two areas to which both organizations and the general public should pay more attention.

It is certainly nothing new, but the sudden digitization of everyday activities has served to raise awareness about the importance of information and vulnerabilities in our computers and networks.

Security and privacy: two main priorities of universities and companies

The importance of information security and privacy in the work context has been a subject of study for many years now. For example, in 2014, an analysis by the EisnerAmper firm, based in New York, ranked cybersecurity the third biggest risk in business management, behind only financial and reputational risks.

More recently, in 2018, the International Information System Security Certification Consortium, or (ISC)², estimated that three million jobs were vacant in cybersecurity worldwide due to the lack of experts in the field, and almost three hundred thousand of those were in Europe.

Accordingly, the security and privacy of information and computer networks have long been part of the research and training priorities of universities and scientific institutions. Over the past two decades, the number of cybersecurity-focused research groups and institutes has continued to grow.

In addition, security and privacy have gained an increasing share in the curricula of various engineering programmes, and it is not difficult to find specific master’s programmes in this area. University programmes offered to train new generations of cybersecurity experts still have room for growth to meet the market’s job needs. It is therefore an area of expansion in the coming years and an obvious professional opportunity for young people.

Little awareness of cybersecurity threads among citizens

It seems clear that companies, public bodies and higher education and research centres are already preparing for a new, more digital reality and that investment in cybersecurity is one of the key factors to be competitive in this new scenario.

But what about the general public? Regrettably, this is one of the main gaps in the digital transformation currently taking place. Cybersecurity is often perceived as an eminently technical issue that should only worry businesses, while there is very little awareness of the cybersecurity and privacy threats that affect citizens in their day-to-day activities.

Unfortunately, cybercrime is not limited to organizations and a large number of attacks are targeted at home users. A recent example of this is the case of fake calls from an alleged Microsoft support service. This very widespread scam consists of contacting victims by phone to inform them of a critical vulnerability on their computer, offering remote assistance to fix it.

The scammer convinces the victim to install an application that allows them to control the mark’s computer remotely and, once inside, obtain all the personal and private information stored on it, often including bank and financial details. Many people have seen their savings vanish in this way, in a matter of minutes.

Such situations show that the methods employed by cybercriminals are not always technically sophisticated, as Hollywood movies are wont to depict, but are often based on effortless “social engineering” tricks, which are simple to deploy and work statistically when applied to a large number of victims. It matters little that the success rate for each target person is small, if the criminals can reach tens or hundreds of thousands of users.

A somewhat more advanced version of this type of attack is based on sending emails or links from websites that impersonate those of a well-known company or public body. These threats are known as “phishing” and usually aim at obtaining bank or credit card details.

Interdisciplinary training to avoid scams

Among the most important challenges that we will face in the coming years in the field of digitization is that of training our fellow citizens to protect themselves against these scams, which are often more rooted in sociology than technology. It is therefore necessary to provide society with interdisciplinary training that allows the technical aspects of digitization to be combined with those of the social sciences to improve our preparation, allowing a robust digital transition with less exposure to cybercrime.

Thus, it will be essential for universities to include interdisciplinary aspects into bachelor’s and master’s degrees that deal with cybersecurity, if they want to offer comprehensive training on this subject. In addition, training efforts should not be limited to higher education, but should be included in curricula to ensure that skills are learnt at early ages, during compulsory education.

Defending our privacy without giving up security

Another major challenge that hyper-digitalized societies must face is information privacy. Privacy and security are often represented on a weighing scale, suggesting that an increase in one necessarily leads to a decrease in the other. This picture is simplistic and misleading, implying that security and privacy cannot be achieved simultaneously.

The apparent contradiction between security and individual freedoms is by no means a new concept. Indeed, as far back as the 18th century, Benjamin Franklin stated that “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”

Franklin’s words still apply today, meaning that we should not buy some “temporary cybersecurity” in exchange for giving up our privacy. As in the case of cybersecurity, it will be necessary to train society on the importance of information privacy and empower it, giving people control over their data and enacting laws such that they are not owned by companies.

Our obligations should include defending our privacy without giving it up in exchange for security, since both must be compatible within the framework of a well-trained and advanced digital society. The research groups and institutions that work on these topics are responsible for spreading this message in order to build a much more mature and sovereign society in the current context of accelerated digital transformation.

This article was published in InfoLibre (Spanish) on 7th February 2021.

David Megías, is the director of the IN3 and lead researcher of the IN3’s K-riptography and Information Security for Open Networks (KISON) research group. His main research interests focus on the study of information security and privacy protection systems, with special emphasis on digital multimedia content.