This post first appeared om the Thales eSecurity Blog here.
The British parliament has been unable to agree the exit package from the European Union. With the possibility of a “no deal” departure looming, EU leaders have granted a six-month extension to Brexit day. But the uncertainty that still lingers with regards to Britain’s future, creates various opportunities which cyber criminals could try to exploit.
Given the situation, careful examination of Brexit’s direct and indirect implications must be made, if we are to better understand the potential ramifications of a “no deal” exit. Let’s begin by looking at relevant regulations.
A brief look at current and future legal frameworks
The EU recently adopted two key pieces of legislation designed to govern cybersecurity and privacy issues. The first piece of legislation, the General Data Protection Regulation (GDPR)1, regulates data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The second regulation, the EU Network and Information Security Directive (NIS)2, provides legal measures to boost the overall level of cybersecurity in the EU.
For its part, the United Kingdom incorporated GDPR into its Data Protection Act 20183 and the NIS Directive into its NIS Regulations 20184, a political choice showing that the UK strategically desires to be aligned and, to a certain extent, compliant with the new EU regulations.
Governing the transfer of data
On February 6, the UK government published “Using personal data after Brexit”9. The guideline reveals that post-Brexit UK businesses will still be able to send personal data from the UK to the EU and that the UK will continue to allow the free flow of personal data from the UK to the EU (and the EEA area).
Data originating from the EU that comes into the UK will be a different story. It is illegal for an EU Member State business or organisation to export data to a non-EEA entity without specific legal safeguards in place. Since post-Brexit UK could, depending on the method of exit, be considered a “third country,” UK businesses will be subject to these safeguards.
Current & Post-Brexit Threat Landscape
In the UK, the number of data breaches reported to the Data Protection Commission11 rose by almost 70 percent last year, totaling 4,740 breaches during 2018. At the same time, UK organisations such as universities, businesses, online stores and social media (like Facebook) have been subject to breaches that affected millions of people.
Incident Handling
Today all European businesses, organisations and citizens can utilise a data breach reporting mechanism to notify only the Lead Supervisory Authority (LSA) in their country, to carry out investigations and to inform/coordinate with LSAs in other EU Member States in case of a cross-border cybersecurity incident.
In a post-Brexit future, UK-based businesses and organizations will need to legally notify not only the UK Lead Supervisory Authority, the Information Commissioner’s Office (ICO), but also each relevant Member State’s LSA.
Effects on the Workforce
What concerns me most is the cybersecurity skills shortage14. By limiting the right of free movement and enforcing stricter working visa requirements, Brexit could have a significant impact on the capability of Britain to fight against cyber criminals and nation state threats.
Additionally, UK based universities will potentially lose access to huge amounts of EU research funding because of Brexit.
What we can do to prepare?
On the cybersecurity front, UK companies will have to deal with a disappearing network perimeter, a rapidly expanding attack surface, the widening cybersecurity skills gap and the growing sophistication of cyber-attacks.
These issues are extremely difficult to be dealt with. In response, companies should focus on securing all of sensitive data by encrypting all data at rest and in transit, securely storing and managing all encryption keys and controlling user access and authentication. Doing so will help them staff safe in an increasingly uncertain world. With the rise in threats and the increasing value of data to cyber criminals, it’s important for businesses to know how they can adopt a Secure the Breach approach to protecting their most sensitive data and intellectual property.