The Impact of Brexit on InfoSec

The impact of the Brexit decision has been a little slow in coming, but it’s now starting to make its presence known, with a slow-down in exports, inflation creeping upwards, and consumers getting jittery.  Cyber Security is likely to be affected just like anything else, and something likely to have an impact on business is the impending arrival of the General Data Protection Regulations (GDPR) in 2018. This monumental piece of legislation hasn’t received the exposure that maybe it deserves.

GDPR – our obligations

How is our exit going to affect information security? And will there continue to be the same level of two-way communication between our own Cyber security services, and those in Europe?

While the vast majority of GDPR covers the rights of individuals and how their personal data is stored, managed and protected, it also includes nation-state obligations under Article 23. This sets out a number of derogations that are applicable to certain situations, including the grounds of national security, and the prevention, investigation, detection or prosecution of criminal offences.

It also allows nation signatories (of which the UK is one) derogation (exemption from aspects of the legislation) on the grounds of other important public interests, in particular economic or financial interests, including budgetary and taxation matters, public health, and security. In short, it covers any and every aspect of daily life that could be open to a cyber attack. And without being a part of that signatory, we won’t have the same levels of protection or co-operation from our European neighbours should a major cyber security breach take place.

The fear by many industry professionals is that we’ll see an increasing level of isolation as the UK draws closer to the exit date in 2019. The real concern doesn’t really lay with the implications of GDPR – that will be (potentially) covered by the Great Repeal Bill, which essentially transfers EU legislation over to UK statues. This can hopefully be dealt with later.  But it’s important to remember that whether we’re in or out, the GDPR regulations still apply post-Brexit.

Director of information security at Canon, Quentyn Taylor, told a keynote audience at Infosec 2016 that if the UK votes to leave the EU, it could have disastrous impacts on both British and multi-national businesses. When asked whether the UK should adhere to the GDPR after Brexit, he responded: “I think we’ll absolutely have to. We have data centres all over Europe and we have data transfers that happen across huge numbers of countries.

“That’s part of doing business. If we have to have a separate regulatory program here it will have huge impact for us a multinational. I think it will also have a huge impact on British businesses.”

A pinch point that blocks the flow of information

The real concern is for the Brexit decision acting as a pinch point for the flow of information between cyber security experts across Europe and the UK. It’s already been pointed out that the UK will need to rethink its position and role in Europol and the European Cybercrime Centre. Both organisations are crucial to the combat of cybercrime across the continent, and within the UK’s borders too. Our exit will leave a substantial hole in that network.

So before Brexit takes hold, the UK is going to have to put robust and effective information and asset sharing structures in place, so that vital conduit of InfoSec information between the UK and Europe stays open.

An effect on employment?

Despite all the confusion over the legislative implications of Brexit on the UK’s cyber security industry, jobs, it seems, are pretty secure. The UK already has a shortage of InfoSec professionals, which means overseas workers are in demand. With a shrinking talent pool as non-UK workers leave, InfoSec professionals are going to be even more highly prized.

Business as usual?

Most InfoSec professionals think that initially there will be minimal impact, as long as those communications lines with our counterparts in Europe stay open. The key, if you want to experience minimal impact on your career, is to be flexible and evolve with the changing market. We may not be able to future-proof entirely, but as an industry we can certainly meet the challenges that Brexit will throw up.