The State of Cybersecurity in North Macedonia - Interview with an Expert: Elena Stojanovska

Should the typical citizen in North Macedonia today feel safe online?

Honestly, I think the answer to this question is quite complex. The sense of security is largely subjective and is closely related to how each of us experiences privacy. What one person may consider intimate, private, another may not understand at all in that way. The personal experience of privacy of many people in our region is also related to mentality, so one can often hear "I have nothing to hide". I would not dare to say that citizens should or should not feel safe online, I would say that they should feel challenged. The challenge in this sense would be to become aware of where we create our user accounts, provide personal information, share details about our lives, habits, interests, but also how and to what extent we respect other people's privacy.

Are there ways to protect oneself from online threats, that everyone can employ?

Of course there are, the problem is that few take the time to find out what are the appropriate ways to protect themselves, and this is the first step in preventive action. The trend of digitalization, advances in information technology and the growth of the use of online services inevitably led to personal data gaining the status of a very strong currency. In most of the privacy policies of social networks, mobile applications and other tools for online communication there is a section titled "How we value and protect your privacy" and here is the trick, behind this declarative commitment to protection often the hidden message is " "We use your personal data for research, profiling, and ultimately profit generation." The question that arises is - why would we invest our privacy in someone else's profit strategy. The basic steps we need to take are to "clean" our social media profiles from too much information, data, photos, to read the Privacy Policy before sharing more than we wanted before being informed, to be careful about what we give consent and to which data we give free access when downloading and using various applications, to check if the page we want to visit is safe (https), to use complex and different passwords to access different accounts, to pay attention to the content of the communication which we have through instant communication applications, to use antivirus protection on all devices from which we access the Internet, to be careful when choosing and using Wi-Fi networks ....

What is the most common threat from which data is being stolen/manipulated in North Macedonia (in recent years)?

For a long time, social media has been a place where threats to the privacy of citizens most often appear. Most often, these are fake profiles, stolen profiles, posting other people's photos without the consent of the persons to whom they belong, and even physical security incidents caused by something that was publicly published on the Internet. Of course, these are the most common but not the only threats to privacy. Instant communication applications are also an interesting channel with the free use of which we have a sense of availability and speed in communication, but we rarely think that communication is not so secure. Sharing data, sending documents and photos through these communication channels is something we should be especially careful about, especially considering the fact that many of us use these communication channels to be in contact with colleagues, doctors, teachers and share all kinds of information. Another trend that is inevitably associated with privacy threats is the profiling of Internet users. The services and tools we use could not upgrade their functionality without monitoring our online activity. In this regard, the more we share about ourselves, the more we help generate profits for the companies that develop these services and tools. Often, we are not aware of how much our virtual identity is (miss)used for someone else's higher purpose.

How do Macedonians value privacy, especially their online privacy?

My answer to this question is my personal experience of how Macedonians perceive and value their privacy, but I think it would be great to conduct research on this topic. The impression I have is that we are too "open" on social networks, too accessible on our mobile phones, too "efficient" in fast communication .... it is still difficult for us to take the time to read what actually happens with the details of our lives that we share so easily. Trying to give a short answer, I would probably say that we start appreciating privacy only when it is threatened.

Are Macedonian institution safe from cyber-attacks? Are we doing enough to protect our critical infrastructure?

It is difficult to give a quick and accurate answer to this question. Many institutions have invested time and money in establishing a secure IT infrastructure. Perhaps the real question is to what extent institutions have the capacity to keep pace with the progress of technology, and thus the emergence of new threats. When I say capacity, I mean the institutional physical infrastructure, human potential and knowledge, the finances planned to upgrade the systems, the equipment and the staff. A useful follow-up question would be how prepared are we to learn from the threats we have faced. Unfortunately, several security incidents in the last two years indicate that we are not prepared. Situations such as the crash of the State Election Commission system on election day on 15th of July, 2020, the crash of the Covid19 vaccination website in early February 2021, the introduction of a new voter fingerprint identification model without first assessing the impact on privacy, they point out to me that the institutions do not value privacy as expected, and with that I think that they are not sufficiently prepared to face cyber-attacks. The new Law on Personal Data Protection requires a mandatory risk analysis of personal data processing, according to which specific technical measures for protection should then be defined. These measures also include measures for securing websites and all online communication. I sincerely hope that the institutions will take the harmonization of these measures seriously.

Is the business sector following the latest trends in cyber-security & safety? Are private companies investing in security?

Unlike the institutions, the business sector has a different attitude towards the establishment of a personal data security system. The reasons for this are numerous. The financial risk of a possible security incident that could result in a breach of privacy is high, and the damage to the reputation even greater. Hence, we can see a trend of strengthening the measures introduced by the business sector to better protect the processes that take place over the Internet, various tools, applications and platforms. In many of the companies I have had the opportunity to work with and talk to, the provision of https protocols, TLS protocols, special procedures for encrypting different types of communication, authorization methods and access control have already been raised to a higher level. What is in favour of the business sector is the fact that the human potential is greater, and the opportunities for planning and investing in new technologies are more feasible. The new Law on Personal Data Protection sets serious requirements which include performing detailed analyses of the risk of personal data processing, defining the measures for securing all channels and ways of processing personal data but also precisely defining the responsibilities and roles of all persons who are authorized to process personal data. I believe that this process will be completed faster in the business sector, and one of the key reasons for that are the high fines which according to the new law amount to up to 2 and up to 4 percent of the annual profits of the company.

Are parents, teachers, and school children sufficiently aware of the cyber landscape? Are they informed enough to protect their data?

Raising awareness of online security in education as a sector has been a hot topic for years, with the fact that a decade ago the focus was on online behaviour and recognizing threats from individual Internet use by children, the Covid-19 pandemic has spread focus on the safe operation of the entire system online. There is really a lot to talk about and debate on this topic, but what I think is already a chronic pain is the lack of a clear strategic approach to systemic change. It has long been not enough for cybersecurity to be just a chapter in textbooks in a total of three school subjects, it is not enough to have computers for all students, and they are outdated and connected to an insecure network, it is unacceptable to use platforms like Teams and Google for online teaching and not to invest in a sustainable and strong distance learning system. Online teaching in a good part will be the future of education, the generations to come will be more literate and will cope better in the online world which will be a natural environment for them, so we as a society must invest efforts, energy, finances in serious capacity building in this key sector.

How would you describe the trend in the recent years in terms of digital safety & privacy in our country?

We have discussed many times before that changes in laws and policies will never happen at the speed with which information technology is evolving. In the last few years, the trend of digitalization of services for users has increased, and thus the trend of developing data protection measures is present. The development of special privacy policies is also a trend, especially after the adoption of the new Law on Personal Data Protection in early 2020. Working from home for a long time is very important in changing the perceptions of digital security. The integrity and confidentiality of data has become an essential need, so it can be heard more and more often that multifactor authentication and setting levels of access to different systems are being introduced. In fact, this is expected to continue to be a trend next year too.

How do you see the media’s role in raising awareness about privacy & cyber-security issues going forwards?

The role of the media is crucial and they should give much more space to topics such as cyber security and privacy. With the exception of a few media outlets that cover these topics more seriously, the rest usually only report when there are certain privacy breaches. Speaking of the media, I would like to emphasize that in addition to the obligation to inform the public about privacy issues, they also have the obligation to protect the personal data of the persons they report on. This is crucial for a media outlet to show that it truly understands and respects the concept of privacy.

What would be your message to our fellow citizens – what should they avoid & be especially careful about?

If I were to try to figure out a set of recommendations for myself, the first probably would be to spend as little time online as possible without a clear necessity, and I find myself doing that often. Secondly, I would delete from my phone everything that does not need to be there, whether it is applications, photos, browser history. Then, I would change all the passwords in all the places where I have registered as a user to make sure they are complex and different enough. Last but not least, I would like to know what rights I have as a user wherever I am registered, it would mean that I take control of my data in my own hands.

Follow Elena Stojanovska on LinkedIn

💡 If you're interested in boosting your own or your organization's cybersecurity awareness, enroll today in our free, self-paced Digital Safety & Security course: