Brexit is hanging over many British businesses and creating a great deal of uncertainty. One of the many areas that could be impacted is cyber security – industry experts are warning that organisations may face challenges if, for example, strong data protection laws are not upheld and there are problems attracting the right talent.
So, just what will Brexit mean for your organisation’s cyber security?
Data protection requirements will be upheld
One factor that will ease Brexit’s impact on cyber security is that the UK has transposed the EU’s GDPR rules into the Data Protection Act 2018 (DPA). This means that businesses will need to continue to follow the same data protection rules post 29th March 2019, the date the UK leaves the bloc.
As with the GPDR, compliance with the DPA 2018 mandates that organisations have suitable controls and processes in place to protect personal data. This involves regular security assessments as well as the need to detect and report data breaches.
On a similar note, organisations will need to continue to comply with the requirements of the NIS Directive – which is intended to ensure that operators of essential services and digital service providers maintain high levels of security and resilience. The NIS Directive has also been transposed into UK law, in the form of the Network and Information Systems Regulations 2018 (NIS Regulations).
Increased confusion
While Brexit is not expected to radically affect data protection laws in the UK, any large scale changes to the way in which the government and international agencies are able to operate stands to create confusion. Businesses, crime enforcement agencies and regulatory bodies will face operating in a brand new and poorly understood landscape, which they will need time to adapt to.
It is still unclear what the effect of Brexit will be in both the short and long-term. Possible confusion, however, could make it easier for cybercriminals to exploit loopholes and lead to, for instance, a rise in new types of attacks, including social engineering scams.
It is still unclear what the effects of Brexit will be in both the short and long-term – and cyber criminals are easily able to operate in a more chaotic and uncontrolled environment. This makes UK cyber security not only a more obvious target, but also leaves it less equipped to deal with issues.
Less co-operation and information sharing
Additionally, after Brexit, it could become a lot more challenging for law enforcement authorities in the UK to investigate and police cyber-crime. Less cooperation on an international level could mean that it is harder to identify, trace and shut down criminal operations. Given the fact that cyber criminals are becoming more sophisticated and active as it is, these impediments in policing attacks only adds to the problem.
For example, Europol often provides operational support for complex cybercrime investigations – and without this assistance, investigations could be hindered. The British government has stated a desire to foster an even closer relationship with the EU on cyber security – but whether they will be able to do this is very much up in the air.
In any case, it may also be true that rogue actors will see post-Brexit UK as an easier target. This means that critical national infrastructure and business could see a spike in attacks. Therefore, it will be necessary for all organisations to ensure their cyber defences are strong enough to safeguard against possible increased activity.
Potentially harder to attract talent
It is well known that there is already a shortage of talent in cyber security. A recent report estimated that there is a global skills shortage of 2.93 million professionals – with around 142,000 unfilled positions in Europe alone. Simply not enough people have the necessary skills and experience.
Brexit will inevitably make it more challenging for UK businesses to hire staff from the EU. Of course, it could be argued that a reduction in the number of EU migrants may make it easier to employ people from outside the EU, however it remains to be seen as to whether this will be the case or not.
