The UK’s decision to leave the European Union (EU) has raised concerns in the information security world, but most professional organisations are urging calm and pragmatism.
According to The Security Institute, the Brexit decision will have significant implications for the security profession and will inevitably present fresh challenges.
However, the organisation’s vice-president Alison Wakefield said security professionals pride themselves on being able to take the objective view, to put aside emotion and to focus instead on the hard facts of a situation.
“One thing we categorically disagree with is Michael Gove’s assertion that people in this country have had enough of experts,” she said.
“As an organisation that numbers a great many security experts in its membership, we believe the changes Brexit will bring mean that we, as a nation, will more than ever rely on these experts."
Whatever cyber security challenges lie ahead as a result of Brexit, Wakefield said they will be met and overcome by the application of expertise and the diligent efforts of experts.
"The Security Institute’s raison d’être is to promote the professionalisation of security. Now that our country has chosen to go through a period of economic and political turbulence, let’s collectively – as experts in our field – do our utmost to re-emphasise professionalism, and redouble our efforts to help nurture security practitioners who can carry the ‘expert’ label with justification, pride and the external recognition they are due,” she said.
Read more about Brexit
- Computer Weekly takes a look at how leaving the EU will affect UK tech startups
- The financial services IT community faces a period of uncertainty as finance firms reassess plans following the EU referendum result
- Brexit is causing the cost of using US-based cloud services to rise for some UK businesses
- The UK IT sector reacts with alarm, tempered by a calm pragmatism, to the British Referendum verdict to leave the European Union.
Adrian Davis, European managing director at security certification body (ISC)2, said information security is well-recognised as an international concern that has motivated levels of co-operation that already transcend national boundaries and politics.
“There is no reason to believe that this will come to an end or even be significantly interrupted by the Brexit vote,” he said, despite concerns by some information security professionals the cyber threat intelligence sharing may be impeded.
According to Davis, information security professionals in the UK and across Europe have at least two years to understand the practicalities that will affect their day-to-day job, and there is a good chance that quite a lot of what is anticipated over this time will not change.
The need in the UK to comply with the EU’s General Data Protection Regulation (GDPR) for example, will remain the same, he said, as UK businesses will continue handling EU citizens' data.
“The march of technical innovation reflects global trends and will continue to shape the challenges we face on the front lines, and we all understand that threats and attacks are international. The work we do as a profession already ensures that the standards and practices required to face them account for differences in markets and regulatory expectations. I’m confident that, as a profession, information security professionals right across Europe will continue to work together,” said Davis.
Strong partnerships for cyber security
Larry Clinton, president and CEO of the Internet Security Alliance said that, while the Brexit vote is unlikely to have much impact on information security operations in the short term, he believes that the vote underlines the need for the private sector to develop strong partnerships to secure the cyber systems they own and operate independent from government structures.
“I feel pretty sure not a single UK voter was thinking about cyber security when they went into the voting booth, but that doesn't mean that the vote to fundamentally alter the structure of our most important security partner will not impact policy, strategy and eventually operations in ways we perhaps can't foresee at the moment,” he said.
Clinton said that, while it is too early to know if other countries will follow the UK and leave the EU or what impact that has on the EU efforts on cyber security, how it may complicate needed international co-operation on cyber security, what delays, inconsistencies and added costs will be involved and many other issues.
“However, we can be sure that there will be substantial volatility in the government space and the private sector needs to engage with government structures, but would also be wise to take responsibility themselves and strengthen independent process to enhance cyber security by developing structures and partnerships that operate independently of governments subject to political whims,” he said.
Time to plan for Brexit
Manish Sood, CEO of data management firm Reltio said the good news is that companies have time to plan for Brexit.
“But the key now is ensuring that they are agile with their data management and privacy protection strategies,” he said, especially in the light of the GDPR that will come into force in 2018, which could be a year or more before the UK actually leaves the EU.
This means UK companies will have to comply with the GDPR in the short term as EU companies, but even when the UK does leave the EU, the GDPR will still apply for any UK companies doing business with the EU or handling the personal information of EU citizens.
“The GDPR has strong requirements around the accountability of businesses to demonstrate compliance, including privacy impact assessments, in which the risks to an individual during the use of that data must be detailed,” said Sood.
The GDPR also has strong requirements around data erasure, also known as “the right to be forgotten,” meaning removing any historical activities made by individuals captured as part of their digital activities, around profiling, which relates to the need to obtain permission from individuals before any of their profile data is used to evaluate their behavior, and around data breach notifications that dictate the minimum acceptable time periods upon which individuals or organisations must be notified when profiles containing their data is compromised.
“Data privacy and protection laws are becoming increasingly stringent, and are slowly catching up to the wealth of data being captured and used in the digital age,” said Sood.
Intellectual property under threat
“Organisations and executives who naturally view data as an asset for digital transformation, improved customer experience, and personalised targeting, have multiple hurdles to jump over to conform to these new regulations,” he said.
Iain Connor, partner at legal firm Pinsent Masons said that, with harmonised intellectual property rights ranging from registered trademarks and design rights to unregistered rights such as copyright and database right, automatic EU-wide intellectual property (IP) protection is now under threat.
“While the core scheme of protection for these rights is unlikely to change, leaving the EU will mean that rights which cover all 28 member states will need to be transitioned to a new regime which either transposes EU rights into national rights or requires rights holders to begin afresh the process of securing IP protection in the UK and other member states,” he said.
Tim Philips, managing director of data management firm Kroll Ontrack said the full impact of Brexit on data transfers in litigation and investigations is dependent on whether or not the UK becomes part of the European Economic Area (EEA) or the European Free Trade Association.
“If the UK becomes part of the EEA and the EU finds the UK’s data protection safeguards to be appropriate this would make transferring data outside of the UK easier. However, it is likely that businesses will still have to comply with the new requirements to be implemented under the GDPR, when transferring data across borders to comply with legal obligations in other countries. Both legal mechanisms and technology solutions are relied upon in these situations to safeguard the personal data of European citizens,” said Philips.
“If Britain does not become part of the EEA, the situation is more complicated and it is likely that an arrangement similar to the EU-US Privacy Shield would need to be agreed. This will provide a safe passage for the transfer of data between the UK and other countries in Europe.
“Until the UK finalises its data protection regime and comes to an agreement with the EU companies need to think carefully about the risks of transferring data across European borders."