Brexit - Should we stay or should we go now?

...Both options will have an effect on the UK's cyber security position

Posted on 13 June 2016

brexit cybersecurity

However hard you try to hide from it, someone with their own set of agendas is already trying to influence your vote ahead of the June 23rd polling day. The Prime Minister and the Leader of the Opposition are both in the Remain camp, but are adamant that they actually profoundly disagree with each other, as their motivations to remain are supposedly different. However you look at it, whatever your politics, the effects of both Leave and Remain are unclear – with the only point of agreement that whichever way the votes are cast, the impact to the UK and to Europe will be remarkable.

What does this mean for Cyber Security?

In a complex issue such as Brexit, there are a myriad of interconnections, but for the sake of brevity we can condense these down into three key themes: skills, threats, and compliance.

Skills:

In November 2015, Cyber Security was added to the UK skills shortage register, which allowed those from outside the EU or without an existing right to work in the UK to apply for working visa. It may be fair to assume that these regulations will extend to the EU should the UK leave – so will this have an impact on the ability for firms to recruit the talent and skills that they need to stay safe?

 

The long-term answer is probably not. However, as firms struggle to get to grips with new recruitment processes and visa applications, there may be an initial barrier thrown up that shocks the labour market as demand outstrips supply.

 

This may lead to inflated salaries in the short term, but also more students heading into cyber-security courses, which over the long term can only benefit the UK’s capability. But back to immediacy; do you have all the talent currently in place, or were you planning on recruiting later on in the year? Might it be worth starting your search sooner rather than later?

Threats:

Another facet to the debate is what we will loosely term ‘threats’, and whether organisations will face a different threat landscape post-Brexit.

 

Threat Intel merchants will seize the Brexit opportunity to supposedly turn Europe against us. Suddenly Denmark will be the next APT, targeting a ‘high street favourite purveyor of warm sausage rolls and pasties’ for sales volume data, and we’ll all be left wondering what’s real and what’s not.

 

Of course, the answer is ‘no-one knows.’ What is completely clear is that trade deal information is a high value target, and market uncertainty attracts interest. Ultimately a backdrop of change, not stability, provides a fertile backdrop for making (and losing) money.

Compliance:

Finally, let’s look to compliance and regulation.

Firms trading in the EU are today held accountable by the UK Information Commissioner Office (ICO), and also the EU General Data Protection Regulation (GDPR), which was adopted on the 14 April 2016 and is subject to a 20 day standstill period to be effective from May 4th.

 

The headline difference between the ICO and the GDPR is the extent to which firms can be fined for data breaches. The ICO states 2% of global turnover, whereas the GDPR is regulated to 5%.

 

Whichever number you take, these are significant chunks of change regardless of the size of your organisation, with the GDPR likely to take the edge in terms of keeping you awake at night. Will Brexit free you from this worry? Probably not; if your firm trades in Europe or holds data related to any EU citizen, then both the ICO and GDPR will continue to apply.

 

From a cyber/Brexit perspective, has this cleared anything up? Food for thought perhaps, but nothing yet is clear. Which, you could argue, is indicative of the wider issues at large. As The Clash Lyrics suggest – if we go there will be trouble, and if we stay it could be double’ or perhaps even triple!