Given the ongoing parliamentary and government stalemate over Brexit, and the confusion this has spawned within UK PLC, it's unsurprising there has been much debate regarding potential trade agreements, EU worker rights and so on. What is surprising, however, is the general apparent lack of parliamentary and media interest in how data will be impacted by the various Brexit outcomes currently being debated.
Data sovereignty issues regarding cloud servers physically based in mainland Europe and beyond could come back to bite business, and bite hard, depending upon the Brexit we end up with. Access to data on a secure and safe basis will be paramount to ensuring business can keep on doing business.
"If the EU and UK do not match their data protection legislation in future, limits on accessing data stored outside of the UK may come into effect," Paolo Sartori, CEO of TransWorldCom, says, adding, "services need to be planning ahead of Brexit and the ensuing transition period in terms of ensuring that their data is safe and secure for the future of trading."
Newly published Tripwire research had revealed that only 25 percent of businesses have already spent money on cyber-security preparation for the UK leaving the EU. That suggests the preparatory message has been somewhat lost in the fog of uncertainty surrounding the whole Brexit process. Again, no surprise when you consider that same research revealed 48 percent of businesses believe that cyber-security ramifications are not taken into serious consideration when geopolitical decisions are made.
Digital minister, Margot James MP, has acknowledged the role that data plays in day-to-day business, and urged companies to prepare ahead of a potential no-deal Brexit, warning "the current uncertainty around Brexit is of great concern and businesses need to take action to limit the risk of potential disruption if a no deal were to happen." So, other than checking the Information Commissioner’s Office guidance, as James suggests, what else should the enterprise certainly be doing related to this Brexit uncertainty?
For a view from the outside looking in, SC Media UK spoke to Jake Olcott, VP Government Affairs at BitSight, who has previously served as legal advisor to the Senate Commerce Committee and as counsel to the House of Representatives Homeland Security Committee in the United States. "Organisations who were working with UK businesses may need to think about introducing new vendors and suppliers into their environment" Olcott warns "changing their existing relationships with a trusted supply chain." This will likely introduce greater risk to the business from a cyber-security perspective, of course.
"New third-party suppliers—including any and all software providers, business associates, contractors, and subcontractors—may expose an organisation to cyber-risk that could be potentially harmful or even catastrophic" he adds, concluding that "post-Brexit, the need to incorporate cyber into supply chain risk management will be greater than ever before."
Laurie Mercer, a security engineer at HackerOne, points out the security skills shortage comes into sharper focus as Brexit draws ever closer. "Only four percent of the HackerOne community, the largest group of hackers in the world, reside in the UK," Mercer told SC Media UK, adding that, "hopefully, Brexit will not worsen the ability of UK based companies to attract the world’s best talent."
However, freedom of movement issues could do just that. "Limiting the talent pool available to British businesses could put them at a disadvantage to cyber-criminals and put citizens data at risk," Mercer warns, concluding, "one way of engaging with the best international security talent without having to apply for visas is to use alternative models to traditional employment, like Bug Bounty Programmes."
Jake Moore, a cybersecurity specialist at ESET, reminds us in conversation that the uncertainty around Brexit brings with it a new, and potentially unforeseen, avenue of attack. Namely EHIC cards, European Green Cards, and even GDPR. "All offer cyber-criminals the potential to craft targeted phishing attacks." Moore warns businesses, adding, "social-media driven fake news can use scare tactics and I highly doubt the furore around Br.xit will be any different."
Ultimately then, Brexit or no Brexit, deal or no deal, the enterprise needs to continuously review security posture and address weaknesses within it. "This involves training and awareness for people, processes around dealing with critical information and potential risks to it," Dr Guy Bunker, CTO at Clearswift, told SC Media UK, "as well as looking at technology to enforce the processes and keep people and information safe."