The Brexit Shaped Gap In UK Cyber Security

Uploaded on 2019-04-08 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

Leaving the EU could mean a new cyber security regime for the UK, firms need to understand how the changes might affect them. There has long been a strong partnership between the UK and Europe in cyber security.  With the outcome of Brexit still uncertain, there is much debate about how these links will be maintained in the future. 

There will clearly be changes, not least that the UK is set to lose its seat on Europol’s management board and will no longer be able to shape European Union (EU) cyber security policy and regulation. However, there are many areas where it is still unclear what will change, so organisations will need to make sure they are aware of new developments, understand the implications for their business and respond quickly.

Cyber Security Standards
One area in doubt is the level to which EU cyber-related standards will continue to apply in the UK. 
For example, while the Network and Information Systems Regulations (NIS), which is based on an EU directive, has now been put into law in the UK, some aspects of it require cross-EU cooperation, such as the participation in a Computer Security Incident Response (CSIR) team network. The nature of this co-operation will depend on the final deal between the UK and the EU.

The E-Privacy Regulation, which replaces the Privacy and Electronic Communications Regulations (PECR), has yet to come into force, but may do so later this year and will have a one-year implementation period. Whether it will be implemented is likely to depend on a Brexit deal.

The EU has also proposed a new Cyber Security Act, but it is unlikely to be implemented before any transition period, although not being part of it could affect future information sharing between the UK and the EU. The real challenge is that if there is no deal, the UK may become a so-called third country, and this could raise concerns about UK standards which could have implications for UK organisations holding EU-related data.

Flow of Personal Data
The UK government has taken some action to address these uncertainties, including the recent ratification of Convention 108+, an agreement on robust data protection principles and rules signed by 25 other countries – 19 from Europe and six from the rest of the world. This convention lets the signatory states share data, providing they implement its principles, which are aligned to the General Data Protection Regulation (GDPR). Although this does not remove the Brexit uncertainty, it will lessen the impact of a no-deal scenario and help to enable the continued flow of personal data.

Despite this move, organisations, especially those that trade in information between the UK and the EU, will need to take action to minimise any cyber security issues when trading with the EU and other countries.

That should include continued monitoring of new cyber-related laws and regulations in other countries and a process for assessing whether there is a business need to meet these new requirements, rather than just the local UK-based ones, such as Cyber Essentials.

This should be supplemented by a review of the organisation’s cyber security standards to ensure that it is not locked out of important markets. This may well mean adopting even more stringent or different controls relating to cyber security than we have today or in the future to ensure the business can continue to trade.

Good cyber security practice should remain a priority, including deploying an adequate proactive threat intelligence service to monitor the potential for increased cyber-attacks. It is possible that malicious actors could look to exploit a disorderly exit and look for loopholes in current systems or use uncertainty and inconsistency in the cyber security laws between the UK and Europe to find new ways to attack systems.

International Rules
Good relationships with regulators and government bodies, such as the National Cyber Security Centre (NCSC), will also be more important than ever. It will be vital for all those involved to work together to understand how UK-based regulations can be aligned and recognised under other international cyber security standards.
Finally, there are some practical steps that organisations need to take in relation to data transfers. They should review which third-country data transfer safeguard mechanisms can be used for personal data transfers to the EU, such as standard contractual clauses and binding corporate rules.

They also need to review their privacy notices, information and internal documentation to identify any details that will need updating when the UK leaves the EU. In addition, they should liaise with data protection authorities in all the EU countries of operation to ensure they comply with their local specifications.

Of course, all of this is no guarantee that the rest of the world will be happy to continue to share information with UK organisations, but careful monitoring and proactive adoption of cyber security standards is the best way to navigate through the uncertainties of the post-Brexit world.

Computer Weekly:

You Might Also Read:

UK Deal With EU On Post-Brexit Data Sharing:

UK And EU Will Connect With Cybersecurity After Brexit:

 

 

« British Politicians Need To Better Understand Cyber Security
Financial Apps Are Vulnerable »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

National Authority Against Electronic Attacks (NAAEA) - Greece

National Authority Against Electronic Attacks (NAAEA) - Greece

The National Authority Against Electronic Attacks (NAAEA) is the national computer emergency response team of Greece.

Open Information Security Foundation (OISF)

Open Information Security Foundation (OISF)

OISF is a non-profit organization led by world-class security experts, programmers, and others dedicated to open source security technologies.

Cyber Discovery

Cyber Discovery

Cyber Discovery, the UK Government's Cyber Schools Programme, is a learning programme designed to give young people the opportunity to learn the skills needed to enter the cyber security profession.

Cyber Defense Agency (CDA)

Cyber Defense Agency (CDA)

Cyber Defense Agency is a premier professional services firm specializing in cyber security, computer network defense, and information security.

SpyCloud

SpyCloud

SpyCloud is a leader in account takeover (ATO) prevention, protecting billions of consumer and employee accounts either directly or through product integrations.

GoSecure

GoSecure

GoSecure Managed Detection and Response helps all organizations reduce dwell time by preventing breaches before they happen.

Commonwealth Cyber Initiative (CCI)

Commonwealth Cyber Initiative (CCI)

The Commonwealth Cyber Initiative is establishing Virginia as a global center of excellence at the intersection of security, autonomous systems, and data.

Edgile

Edgile

Edgile is the trusted cyber risk and regulatory compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content.

Securosys

Securosys

Securosys is a technology company dedicated to securing data and communications. We develop, produce, and distribute hardware, software and services that protect and verify data and their transmission

WhizHack Technologies

WhizHack Technologies

WhizHack's mission is to not only create a pipeline of cyber security products but also to empower people to sustainable innovation in securing digital assets of tomorrow.

Com Olho

Com Olho

Com Olho provides the measurement, analytics, quality assurance, and fraud protection technologies brands need for their business and customers.

Conceal

Conceal

Conceal’s mission is to stop ransomware and credential theft for companies of all sizes by developing innovative solutions that provide social engineering protection in any browser.

NetSfere

NetSfere

NetSfere provides next-generation messaging and mobility solutions to carriers and enterprises globally including its enterprise-grade, secure mobile messaging platform NetSfere Enterprise.

Yokai

Yokai

Yokai is a secure, distributed platform for data communication with enhanced security features tailored for classified environments such as finance, defence, healthcare, cybersecurity, and more.

Hanwha Systems

Hanwha Systems

Hanwha Systems is a global company based in South Korea providing defense electronics and smart ICT solutions.

Exaforce

Exaforce

At Exaforce, we are on a mission to 10× improve the productivity and efficacy of security and operations teams using our transformative multi-model AI engine.