Cybersecurity Post-Brexit and your Risk Programme
Do you have a risk register? Have you added any new risks since Friday morning or updated ones you had correctly included? Brexit will most likely impact your (Cyber, Data, Information, IT) security.
The result of the referendum in the UK in relation to the continuing membership pf the European Union (EU) or Brexit as it has come to be known has had many, many column inches written about the political, financial, or social impact. A piece or two has even been scribed on the possible risk to the Premier League!
As security professionals we should also be aware of the risks that this decision and the next few years of negotiation and change may give rise to in Ireland, in the EU and in the UK itself.
What then needs to be considered? No hype. No panic. Just sensible, rational consideration of the possible impact the change may have on your data and your business. While many posts will be written on the wide variety of areas that will change this piece focuses on the areas of data and resources.
Data Sharing Agreements & Data Privacy
For many years the complexity of data protection laws were simplified for the security officers around Europe by having a single Directive and, on a wider scale, the Safe Harbour Privacy Principles with The United States (of course these were overturned recently). We understood that if we had branches in various countries across Europe we could transfer data with little complication. We also took comfort that other organisations that we may have dealt with would protect the data in an appropriate way if they were inside Europe. All countries in Europe had signed up to the Directive and the principles of data security and privacy. So post-Brexit and post the negotiation period will the UK laws be any different to the EU laws? What challenges will this bring? Ironically the estimated period for Brexit is years – just in time for the EU General Data Protection Regulation (GDPR) date for when companies must be compliant.
If inside the UK, you will have to be compliant with internal regulations. If trading to any European citizens you will have to add in the EU GDPR requirements also.
If in the EU, the GDPR requirements will be something you are working on already but consideration may have to be given to new UK laws if you trade or process any UK data.
And then there may be another level of complexity if the agreements with the US or other territories vary for EU and UK territories.
We are living in a global digital market and the creation of physical or virtual borders add challenge, add requirements and inevitability costs. The EU currently has identified as a priority the creation of a Digital Single Market to “tear down regulatory walls and move from a 28 national markets to a single one” (http://ec.europa.eu/priorities/digital-single-market_en), the pillars of which are better online access to digital goods and services, an environment where digital networks and services can prosper and digital as a driver for growth. Where does this lie now? Let’s hope any negotiations will ensure that digitally the 28 remain as 28 and not 27 + 1.
Another concern for data may be the treatment of the individual’s privacy. The EU has a history of string protection of the individual’s right to privacy. The introduction of the EU GDPR being a good example of this as the original Directives required strengthening. Citizens of Europe, more than 90% according to EU body figures (http://ec.europa.eu/justice/data-protection/reform/index_en.htm) “say they want the same data protection rights across the EU – and regardless of where their data is processed.” Originally proposed in 2012 it was also to make Europe fit for the digital age. Could any new UK laws be more lax? Less protective of the individual’s rights to privacy? More open to access from agencies ‘requiring access for national security’ similar to the US?
Security Resource Availability
Another risk that organisations should be monitoring while Article 50 and the negotiations are ongoing is the impact on skilled individuals. We all already struggle to keep up with demands of attracting cyber talent and specifically cybersecurity talent. Will the restrictions on the freedom of workers in the new EU/UK relationship provide a significant barrier to organisations getting the talent they require? Currently organisations employ a significant number of EU based resources. Will these companies move their SOC to a UK territory which may prove costly and extremely challenging as they placed the service in the EU due to lack of skilled personnel in the first place. Will they leave their services where they are and move their HQ or their security team HQ?
Either solution would have to deal with any complexities that the separation may bring in relation to data regulation as already mentioned. Will cyber security companies relocate sooner rather than later to avoid and elongated period of uncertainty. Business likes risk, business dislikes uncertainty.
Other areas of concern
Another area of concern is 3rd Party Governance. Where are your 3rd parties based? UK? EU? Security governance of your vendors and suppliers can be challenging enough however this extra layer may add to your challenges.
Applications & System should also be monitored through your risk register. You may require different rule sets in different markets. This will add to costs, compliance overheads and ultimately impact profits.
Managing the risk
Much has already been written and said about the need for collaboration as cyber threats and attacks transcend national boundaries. The UK role in the European Police Office (Europol) and European Union Agency for Network and Information Security (ENISA) will likely need to be reviewed.
We are in a period of uncertainty, of speculation and “it depends”. The best we can all do is be prepared, keep up to date and be as attentive as possible to daily security threats.
I recommend that you review your current risks for post-Brexit implications. Create new entries specifically relating to data and skilled resources and monitor them closely. And if you do not have a risk register – start one.