Today I am talking with Stefano Tranquillini, the CTO at Chino.io Stefano about his involvement in C3ISP, an EU Commission funded project, which aims at building a collaborative and confidential information sharing system for cybersecurity threats and attacks. Stefano has a Ph.D. in IT and is leading our participation in C3ISP project for the last 3 years.
1) Why is cybersecurity important?
Stefano: Cybersecurity is the protection of computer systems from theft or damage to their hardware, software or electronic data and disruption. In the digital age, the cybersecurity is one of the major challenges. Almost every aspect of our lives involves social media sites, businesses and governments collecting, storing and processing our data. If not stored and collected properly, this data can do a lot of harm.
For example, each time we contact the doctor, we don't need to remember our full health history. We trust doctors (or mHealth apps) with having our sensitive information. This process is built on a trust and unfortunately, that trust sometimes is broken. Companies fail to store information safely, causing disruptions and possible information theft.
We all know about Facebook–Cambridge Analytica scandal. However, there were many more data breaches even before that. Back in 2014, Yahoo went through the biggest data breach in the history. The attack compromised the names, emails, dates of birth and phone numbers of 500 million customers. While in 2016 Adult Friend Finder lost information of more than 412.2 million accounts on six databases that had 20 years of data. The threat is real and data including your name, address, date of birth must be stored properly.
2) How did you learn about the cybersecurity?
Stefano: Cybersecurity always fascinated me, especially after receiving Ph.D. in the IT. I started exploring the topic on my own, with a specific focus on encryption methods and algorithms. Later, me and other fellow Ph.D. student at Trento University, Jovan Stevovic decided to build a platform that helps digital health innovators to ensure GDPR and HIPAA compliance. This is how Chino.io was born.
Now, after 4 years of hard work, I can confidently say that the technical side of cybersecurity is my bread and butter. For the last two years we are involved in C3ISP, an EU Commission funded a project, which aims at building a collaborative and confidential information sharing system for cybersecurity threats and attacks. Here we collaborate with companies and organizations such as BT, SAP, HPE, and CNR.
3) What is Cybersecurity Day 2018 and how does it fit in the C3ISP project?
Stefano: C3ISP is an EU Commission funded a project that aims to create a collaborative and confidential information sharing system for cybersecurity threats and attacks. The project connects companies like British Telecommunications, Hewlett-Packard, SAP, together with research institutions such as Consiglio Nazionale Delle Ricerche – CNR, University of Kent, Digital Catapult, CEA, Istituto Superiore Delle Telecomunicazioni (MISE). It also includes SMEs such us Grid Pocket, 3D Repo and us, Chino.io. C3ISP allows Chino.io to take part in shaping EU cybersecurity and privacy. Together we are building a safer digital European Union.
Cybersecurity Day 2018 is one of the side events of the internet festival in Pisa, Italy. Different stakeholders, including companies such as SAP/HP, startups and researchers were sharing good practices in the Cybersecurity field. For example, I was pleasantly surprised by Sandro Etalle, the founder of the leading company in cybersecurity, Security Matters. I was amazed at how similar our business stories are. He, just like us, built his company after being a researcher. Security Matters, as well as Chino.io, was developed via different accelerators and projects.
Furthermore, after one of the speakers didn’t show up, I spontaneously joined a panel: ‘The Role of the Industry, from Association to Startups on the Cybersecurity” (in Italian: Il ruolo dell’industria, dalle associazioni alle start up per la cyber security). I was honored to share the same panel with SAP, HP, Security Matters, and ECSO. Once again I confirmed that all companies face difficulties understanding and implementing vital security measures.
“Even big corporate customers have difficulties in ensuring that customer data is protected. Actually, for most of the cyber security is a dreadful foreign term”.
Chino.io already went through similar cases while working with different startups, software agencies, hospitals, and corporates. Including projects like providing a Data Security Platform for developers of mental health app IPS (NL) developed by Worth.systems (UK), App developed by Knapp (IT), Service dispatching app Etnenos (DE) developed by Nursit-Institute (DE), Diagnosis app (not yet online) for Predicare (SWE) developed by Belka.us (IT), Pill reminders device Trillio (IT) developed by Thread Solutions (IT), Diagnosis web app BabyTime developed by TBD (HU/AUT). It is compelling how much cybersecurity field has changed within 4 years from when Chino.io was founded.
4) What has changed after the introduction of the GDPR?
Stefano: Introduction of a new General Data Protection Regulation was a big step in making Europe fit for the internet-connected age. With solid common standards for data protection, EU citizens can now be sure they are in control of their personal information. It brings EU laws and obligations around personal data, privacy and consents up to speed for the digital age. The main aim of this framework is to simplify the regulatory environment for business so they could fully benefit from the digital economy.
The framework was not enforced yet, therefore, there are no exact numbers about how many took this law seriously, by reviewing all their systems. So no significant differences except loads of GDPR newsletters on 26th of May.
“Companies tend to procrastinate by postponing the implementation of even such a vital parts of the law like GDPR. They drag it as long as possible or overall avoid doing it. However, this mindset is, luckily, changing for the best”.
Other markets like the US already had a similar framework, HIPAA in place and other big markets like India and China are still drafting their own, that might reflect on the learnings of this law implementation and enforcement in the EU. US companies take cybersecurity much more seriously, as their data protection laws, like HIPAA, went into effect a long time ago.
5) How we as consumers can ensure our data security on a daily basis?
Stefano: First of all, don’t let the complexity of cybersecurity scare you. People should understand that in digital age cybersecurity is as important as ensuring your personal security on the street. Where we surf, what pages we open will determine, who has access to our data and our lives.
Secondly, give your information just to safe providers. Consumers should ask businesses to be accountable. There were many breaches even before the Facebook–Cambridge Analytics data scandal and unfortunately we can expect even more in the future. According to the GDPR and HIPAA consumers should be provided with the information on how their information will be used and if it is not done, the user has a right to ask the company about how and where information is stored.
Always use Firefox over other browsers. This browser does not collect personally identifiable data, or what websites you go to. It protects you from being tracked by advertising networks across websites, which has the lovely side effect of making sites load faster.
Don't forget to clear the cookies when the browser is closed. A cookie is a little bit of data stored on your computer by a website that’s related to your activity on the site. Managing cookies is a privacy maintenance task that everyone should understand, the digital equivalent of regularly changing your smoke detector batteries.
Use a password manager and generate the password randomly. In many instances, people use the same password in all websites making hacking all their accounts very easy. The typical password manager installs as a browser plug-in to handle password capture and replay. When you log in to a secure site, it offers to save your credentials. When you return to that site, it offers to automatically fill in those credentials. And, if you've saved multiple logins for the same site, the password manager offers you multiple account login options. Most also offer a browser toolbar menu of saved logins, so you can go straight to a saved site and log in automatically.
Put tape on camera and microphone. It cost nothing, but better to have it than not have it. For the microphone, go into your device’s preferences and disable the microphone (in Windows and Mac OS X, this is the system settings). On Android, you can revoke app access to system functions, including the cam and microphone.
Get a software firewall and antivirus if you need. Antivirus defends against security threats through surveillance. That is, by constantly looking out for malicious software (and not just viruses). Whereas firewall defends against security threats through governance. That is, by setting rules and forcing you and the internet to play by those rules.
Get a VPN for non-safe networks. A safe network is only the network you control. It easy to hijack an open network (such as the one in the bars or open spaces).VPN is an acronym for Virtual Private Network. The purpose of a VPN is to provide you with security and privacy as you communicate over the internet.
Protect your data with Two-Factor Authentication. Put password and 2fa always. When activated, you’ll be prompted to enter an additional unique security Code after entering your Master Password each time you unlock your database.
Never ever open files or attachments if you are not 200% sure that are legitimate. If you aren’t sure then check the source of the email and real links (just over the link with the mouse and copy paste to see the real URL, most of the time spammer just hide the real website).
Most importantly, businesses should play their part, by keeping their customer data according to the laws. Customers provide their information hoping it will be used safely and companies must put all measurements in place to do that.
Wondering what are your privacy requirements based on data you are collecting?