How Brexit Impacts the Future of Europe’s Cybersecurity Posture

How Brexit Impacts the Future of Europe’s Cybersecurity Posture

This post first appeared om the Thales eSecurity Blog here.

The British parliament has been unable to agree the exit package from the European Union. With the possibility of a “no deal” departure looming, EU leaders have granted a six-month extension to Brexit day. But the uncertainty that still lingers with regards to Britain’s future, creates various opportunities which cyber criminals could try to exploit.

Given the situation, careful examination of Brexit’s direct and indirect implications must be made, if we are to better understand the potential ramifications of a “no deal” exit. Let’s begin by looking at relevant regulations.

A brief look at current and future legal frameworks

The EU recently adopted two key pieces of legislation designed to govern cybersecurity and privacy issues. The first piece of legislation, the General Data Protection Regulation (GDPR)1, regulates data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The second regulation, the EU Network and Information Security Directive (NIS)2, provides legal measures to boost the overall level of cybersecurity in the EU.

For its part, the United Kingdom incorporated GDPR into its Data Protection Act 20183 and the NIS Directive into its NIS Regulations 20184, a political choice showing that the UK strategically desires to be aligned and, to a certain extent, compliant with the new EU regulations.

Governing the transfer of data

On February 6, the UK government published “Using personal data after Brexit”9. The guideline reveals that post-Brexit UK businesses will still be able to send personal data from the UK to the EU and that the UK will continue to allow the free flow of personal data from the UK to the EU (and the EEA area).

Data originating from the EU that comes into the UK will be a different story. It is illegal for an EU Member State business or organisation to export data to a non-EEA entity without specific legal safeguards in place. Since post-Brexit UK could, depending on the method of exit, be considered a “third country,” UK businesses will be subject to these safeguards.

Current & Post-Brexit Threat Landscape

In the UK, the number of data breaches reported to the Data Protection Commission11 rose by almost 70 percent last year, totaling 4,740 breaches during 2018. At the same time, UK organisations such as universities, businesses, online stores and social media (like Facebook) have been subject to breaches that affected millions of people.

Incident Handling

Today all European businesses, organisations and citizens can utilise a data breach reporting mechanism to notify only the Lead Supervisory Authority (LSA) in their country, to carry out investigations and to inform/coordinate with LSAs in other EU Member States in case of a cross-border cybersecurity incident.

In a post-Brexit future, UK-based businesses and organizations will need to legally notify not only the UK Lead Supervisory Authority, the Information Commissioner’s Office (ICO), but also each relevant Member State’s LSA.

Effects on the Workforce

What concerns me most is the cybersecurity skills shortage14. By limiting the right of free movement and enforcing stricter working visa requirements, Brexit could have a significant impact on the capability of Britain to fight against cyber criminals and nation state threats.

Additionally, UK based universities will potentially lose access to huge amounts of EU research funding because of Brexit.

What we can do to prepare?

On the cybersecurity front, UK companies will have to deal with a disappearing network perimeter, a rapidly expanding attack surface, the widening cybersecurity skills gap and the growing sophistication of cyber-attacks.

These issues are extremely difficult to be dealt with. In response, companies should focus on securing all of sensitive data by encrypting all data at rest and in transit, securely storing and managing all encryption keys and controlling user access and authentication. Doing so will help them staff safe in an increasingly uncertain world. With the rise in threats and the increasing value of data to cyber criminals, it’s important for businesses to know how they can adopt a Secure the Breach approach to protecting their most sensitive data and intellectual property.

Security Boulevard – How Brexit Impacts the Future of Europe’s Cybersecurity Posture

security-boulevardThe British parliament has been unable to agree the exit package from the European Union. With the possibility of a “no deal” departure looming, EU leaders have granted a six-month extension to Brexit day. But the uncertainty that still lingers with regards to Britain’s future, creates various opportunities which cyber criminals could try to exploit.

Given the situation, careful examination of Brexit’s direct and indirect implications must be made, if we are to better understand the potential ramifications of a “no deal” exit. Let’s begin by looking at relevant regulations.

A brief look at current and future legal frameworks

The EU recently adopted two key pieces of legislation designed to govern cybersecurity and privacy issues. The first piece of legislation, the General Data Protection Regulation (GDPR)1, regulates data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The second regulation, the EU Network and Information Security Directive (NIS)2, provides legal measures to boost the overall level of cybersecurity in the EU.

For its part, the United Kingdom incorporated GDPR into its Data Protection Act 20183 and the NIS Directive into its NIS Regulations 20184, a political choice showing that the UK strategically desires to be aligned and, to a certain extent, compliant with the new EU regulations.

To read the full article, click here.

Just Food – UK companies “lack understanding of cyber security threats” – government report

just-foodA UK government report highlighting a significant lack of understanding among directors of FTSE 350 companies of how cyber attacks can hit businesses has been dubbed “alarming” by a cyber security professional.

The Government report, published today, found only 16% of boards have a full understanding of the impact from and disruption associated with cyber attacks, despite 96% having an established cyber security strategy.

“It’s alarming to see that the boards of the UK’s biggest businesses don’t understand the impact of cyber attacks, especially given that the impact of a serious attack is absolutely proven to impact revenue, reputation and even individual jobs,” said Jason Hart, CTO of Data Protection at Gemalto and former ethical hacker, in response to the report.

To read the full article click here.

The Future of Cybersecurity – A 2019 Outlook

The Future of Cybersecurity – A 2019 Outlook

 

This post also appears on the Gemalto Enterprise security blog here.

From the record-breaking number of data breaches to the implementation of the General Data Protection Regulation (GDPR), 2018 will certainly go down as a memorable year for the cybersecurity industry. And there have been plenty of learnings for both the industry and organisations, too.

Despite having two years to prepare for its inception, some companies were still not ready when GDPR hit and have faced the consequences this year. According to the law firm EMW, the Information Commissioner’s Office received over 6,000 complaints in around six weeks between 25th May and 3rd July – a 160% increase over the same period in 2017. When GDPR came into force, there were questions raised about its true power to hold companies to account – with the regulation saying fines could be implemented up to £16.5 million or 4% of worldwide turnover. The latter half of this year has shown those concerns were unfounded, with big companies, including Uber as recently as this week, being fined for losing customer data. What 2018 has shown, is the authorities have the power and they’re prepared to use it.

In fact, the role of GDPR was to give more power back to the end user about who ultimately has their data, but it was also ensuring companies start taking the protection of the data they hold more seriously. Unfortunately, while the issue around protecting data has grown more prominent, the methods to achieving this are still misguided. Put simply, businesses are still not doing the basics when it comes to data protection. This means protecting the data at its core through encryption, key management and controlling access. In our latest Breach Level Index results for the first half of 2018, only 1% of data lost, stolen or compromised was protected through encryption. The use of encryption renders the data useless to any unauthorised person, effectively protecting it from being misused. Another reason to implement this is it is actually part of the regulation and will help businesses avoid fines as well. With such a large percentage still unprotected, businesses are clearly not learning their lessons.

So, moving on from last year, what might the next 12 months bring the security industry? Based on the way the industry is moving, 2019 is set to be an exciting year as AI gains more prominence and, quantum and crypto-agility start to make themselves known.

2019 Predictions

1. Quantum Computing Puts Pressure on Crypto-Agility

Next year will see the emergence of the future of security – crypto-agility. As computing power increases, so does the threat to current security protocols. But one notable example here is encryption, the static algorithms of which could be broken by the increased power. Crypto-agility will enable businesses to employ flexible algorithms that can be changed, without significantly changing the system infrastructure, should the original encryption fail. It means businesses can protect their data from future threats including quantum computing, which is still years away, without having to tear up their systems each year as computing power grows.

2. Hackers will launch the most sophisticated cyber-attack ever using AI in 2019

Up until now, the use of AI has been limited, but as the computing power grows, so too do the capabilities of AI itself. In turn this means that next year will see the first AI-orchestrated attack take down a FTSE100 company. Creating a new breed of AI powered malware, hackers will infect an organisations system using the malware and sit undetected gathering information about users’ behaviours, and organisations systems. Adapting to its surroundings, the malware will unleash a series of bespoke attacks targeted to take down a company from the inside out. The sophistication of this attack will be like none seen before, and organisations must prepare themselves by embracing the technology itself as a method of hitting back and fight fire with fire.

3. Growing importance of digital transformation will see the rise of Cloud Migration Security Specialists in 2019

As organisations embrace digital transformation, the process of migrating to the cloud has never been under more scrutiny; from business leaders looking to minimise any downtime and gain positive impact on the bottom line, to hackers looking to breach systems and wreak havoc. As such, 2019 will see the rise of a new role for the channel – the Cloud Migration Security Specialist. As companies move across, there is an assumption that they’re automatically protected as they transition workloads to the cloud. The channel has a role to play in educating companies that this isn’t necessarily the case and they’ll need help protecting themselves from threats. It’s these new roles that’ll ensure the channel continues to thrive.

A Boardroom Issue That Needs to Yield Results

With 2018 fast disappearing, the next year is going to be another big one no matter what happens, as companies still struggle to get to terms with regulations like GDPR. With growing anticipation around the impact of technologies like quantum and AI, it’s important that companies don’t forget that the basics are just as vital, if not more, to focus on. So, while 2018 has been the year where cybersecurity finally became a boardroom issue, 2019 needs to be the year where its importance filters down throughout the entire company. For an issue like cybersecurity, the company attitude towards it needs to be led from the top down, so everyone buys into it. If that happens, could next year see no breaches take place? Extremely unlikely. But maybe it could be the year the industry starts to turn the tide against the hacking community.

What should CISOs be prioritising in 2019?

What should CISOs be prioritising in 2019?

There is no doubt that 2018 has been a memorable year for cybersecurity professionals and the industry as a whole. From overseeing the implementation of the General Data Protection Regulation (GDPR), to the record-breaking number of data breaches, CISOs have had increasing pressures on their shoulders. And, as technologies like Artificial Intelligence (AI) gain more prominence and emerging technologies such as quantum computing are pursued even further, 2019 looks like it could be another hard year for the industry.

With all this in mind, what might the next 12 months bring the security industry?

Quantum Computing Puts Pressure on Crypto-Agility

Next year will see the emergence of the future of security – crypto-agility. As computing power increases, so does the threat to current security protocols. But one notable example here is encryption, the static algorithms of which could be broken by the increased power. Crypto-agility will enable businesses to employ flexible algorithms that can be changed, without significantly changing the system infrastructure, should the original encryption fail. It means businesses can protect their data from future threats including quantum computing, which is still years away, without having to tear up their systems each year as computing power grows.

Hackers will launch the most sophisticated cyber-attack ever using AI in 2019

Up until now, the use of AI has been limited, but as the computing power grows, so too do the capabilities of AI itself. In turn this means that next year will see the first AI-orchestrated attack take down a FTSE100 company. Creating a new breed of AI powered malware, hackers will infect an organisations system using the malware and sit undetected gathering information about users behaviours, and organisations systems. Adapting to its surroundings, the malware will unleashing a series of bespoke attacks targeted to take down a company from the inside out. The sophistication of this attack will be like none seen before, and organisations must prepare themselves by embracing the technology itself as a method of hitting back and fight fire with fire.

Growing importance of digital transformation will see the rise of Cloud Migration Security Specialists in 2019

As organisations embrace digital transformation, the process of migrating to the cloud has never been under more scrutiny; from business leaders looking to minimise any downtime and gain positive impact on the bottom line, to hackers looking to breach systems and wreak havoc. As such, 2019 will see the rise of a new role– the Cloud Migration Security Specialist – to help the CISO securely manage the transition. Whether the role is internal or external, a vital part of supporting the CISO is to ensure that as workloads transition to the cloud they are secure from any potential hackers.

Payments Journal – New York CyberSecurity State of Mind

paymentsjournalThe conversation around data protection is heating up as governments start to think more strategically and globally about information security and breaches. It’s increasingly clear that we need standardized cybersecurity regulations and more intense enforcement to track criminals across borders. In the wake of tough new regulatory frameworks adopted by the European Union and California, the U.S. Commerce Department is seeking comments on how to set nationwide data privacy rules.

To read the full article click here.

Information Age – A CTO guide: Cyber security best practice tips

information-age-logo-text-onlyAs part of Information Age’s Cyber Security Month, we have provided three CTO guides on cyber security: the challengesthe technology and the best practices. This is the last one, and will focus on cyber security best practice tips, with some insights on how CTOs, or CISOs or those in charge of security, can protect their organisation from the growing list of cyber threats, as well as increasing human error.

Jason Hart, CTO at Gemalto suggests that the cyber criminals are exploiting the arrogance of organisations.

“Senior leaders must be situationally aware and ensure that employees only have access to the data that they need at any given point,” he says.

>Read more on Gemalto CTO: Beating ‘cybercriminals at their own game’

“Very few understand the critical importance of knowing the impact of people, data and business processes, and this is the weakness that cyber criminals are exploiting. There are those that are simply ignorant, who just aren’t looking or considering the impact of a data breach and those that are arrogant and believe they know it all, thinking that massive investment in the latest security products will stop a breach. But it’s this very arrogance that makes them vulnerable. In both cases, there is a serious lack of situational awareness.”

To read the full article click here.

Information Age: A CTO guide: The main challenges facing the cyber security industry

information-age-logo-text-onlyIn this guide, five CTOs provide their view on the main challenges facing the cyber security industry, with insights on how to overcome them.

Jason Hart, CTO at Gemalto, also says that the biggest challenge facing the cyber security industry is the growing cyber skills gap.

“There’s no shortage of young people capable of pursuing a career in cyber security. But, the trick is to ensure we nurture their skills and guide them towards using their talents for good, rather than acting as black hat hackers. Thanks to institutions such as GCHQ, initiatives are now being run around the UK that are aimed at producing the next generation of cyber security experts.”

>Read more on Gemalto CTO: Beating ‘cybercriminals at their own game’

“As demand for these roles continues to increase in a post-GDPR world, governments, businesses and educators need to invest in these young people. Of course, they also need to train existing staff, use relevant solutions and be situationally aware, to remain secure and continue to comply with regulations now.”

To read the the full article click here.

CRN Online – Black Hat 2018: 10 Execs On The Top Cybersecurity Threat America Faces Around The 2018 Midterm Elections

crnVoting Under The Microscope

The November 2018 midterm contests have generated more scrutiny from a cybersecurity perspective than any election in recent memory due to the unprecedented high-profile data leaks and Russian-backed social media disinformation efforts during the 2016 election cycle.

In addition to a potential reprisal of all the issues from 2016, some observers fear that the voting machines themselves could be tampered with by a nation-state actor or agent.

CRN spoke with 10 executives and technical leaders at Black Hat 2018 to separate fact from fear, and get a sense of the most realistic scenarios that could cause disruption in the runup to the election or at the ballot box.

“A compromised user name or password is the single easiest way in for bad actors since the system isn’t able to distinguish between the intended or an unintended user entering the right password, according to Jason Hart, Gemalto vice president and CTO for data protection. By gaining access to election data, Hart said bad actors can cause reputational damage and discredit a candidate or their entire campaign”.