Without privacy there is no cybersecurity
The ultimate aim of cybersecurity is to protect organisations and individuals by means of protecting their systems and networks. To this end, it makes use of organizational, legal and technical measures. The human factor is the key element behind the chain of security guarantees and, at the same time, the final asset to be protected. However, if each individual’s personal information is exposed, it will be vulnerable to social engineering attacks specifically aimed at their weaknesses. In this way, the attacker will reach the heart of the organization and individuals, bypassing technological protections.
Cybersecurity measures protect the systems, networks and services of public administrations, private entities, or even our domestic environment from technological attacks. However, cybersecurity is not an end in itself; it is a means of protecting organisations and individuals.
Such measures may be of different kinds: organisational, legal and technical; and behind them there are people who design, install, select, configure, activate/deactivate, use, comply with and control them. Therefore, the personal information (data, metadata, social and family environment, fingerprint, cryptographic keys, etc.) of individuals behind cybersecurity measures becomes one of their main vulnerabilities.
During the year 2020, 85% of all technological breaches involved the human factor. Reality shows that the easiest way to compromise an organisation is to get them to open the doors to intruders from the inside, or even better, to directly execute the actions the intruder wants. Social engineering techniques have been developed to achieve this.
Social engineering is the action of deceiving or blackmailing a person into revealing information or taking an action that can be used to compromise or negatively affect a system or, ultimately, an organisation or a State. There are many social engineering techniques: from blatant extortion to pretexting, phishing, quid pro quo, baiting, smishing, vishing, farming, hunting, whaling, social network exploitation and so on. They are usually techniques of low technological complexity, but with increasing psychological and sociological refinement.
Attacks based on social engineering can be simple, i.e. using only the basic cognitive biases inherent in human nature. In these cases, success is often achieved through mass deliveries in the hope that a small percentage of victims will fall into the trap. While many of these are targeted at fraud and their impact is limited to the individual's environment, some can have serious impacts on the organisation or society.
Nevertheless, the most dangerous attacks will be those that are tailored to the peculiarities of each individual. To do this, it is necessary to collect specific information about each individual, beyond what may be their name, address, account and card numbers, telephone numbers, emails, etc., and focus on their weaknesses, evaluated on the basis of their purchasing profile, geolocation, beliefs, values, fears and desires, and in short, their digital footprint and profile. Before mass digitisation, this information collection had to be focused on key individuals in a target organisation, but nowadays it can be carried out massively on the entire population.
This concept is nothing new. What is new is the level of potential vulnerability that is being reached by the large collection of data, on all spheres of personal and collective behaviour, with granularity, interoperability, and accessible by entities, both private companies and public administrations.
Of course, any organisation will try to protect data that could make its general director, COO, CEO, CIO, CISO or any of the key human resources for the security of the entity (in short, almost all of its staff) vulnerable. However, all these roles are occupied by people who, no matter how important they are to the organisation, are merely customers or users for a social network, financial, insurance or marketing company, healthcare, local council, supplier, content platform, etc. Data protection therefore transcends organisational boundaries and has an impact on the individual and on society.
In such entities where we are clients, there will take place the accumulation and access to data from different spheres of private life, the leakage of such information, personal data breaches, the unethical or directly illicit use of data sets which, together with processing resources and massive data analysis, allow for the automatic profiling, the generation of key information on the vulnerabilities of each subject and, therefore, of the organisation or organisations of which he or she is a part.
To the extent that the principles of purpose limitation, data retention and communication limitation, minimisation and proactive responsibility are not applied to the processing of personal data, or data protection is not implemented by default and by design, the loss of privacy will make individuals vulnerable targets. In this way, the entity or organisation in which they are located will be dragged into insecurity.
In such cases, it will no longer be necessary to compromise systems to achieve the attacker's purpose. When the privacy, intimacy or free will of individuals is compromised or simply conditioned, an attack on the heart of the organisation, or even the State and its institutions, may materialise that no cybersecurity measure can mitigate.
Therefore, without privacy the final goals of the cybersecurity will be compromised from its foundations. Cybersecurity without privacy can work in regimes where there is a lack of rule of law and democratic guarantees, yet in these cases, cybersecurity will have any other object than the protection of individuals, but just another tool to control and limit citizens' rights and freedoms.