The cyber-security industry in the UK post Brexit
Today’s cyber-security landscape
The cyber-security challenge within the UK is dual-faceted – not only are the amount of attacks increasing, we are also facing a cyber skills shortage where the time to hire new employees is regularly upwards of 6 months and in many cases a potential employee with the required skills doesn’t exist to hire. The 2015 Global Cybersecurity Status Report by ISACA found that an overwhelming 87% of UK business and IT professionals feel there is a shortage of cybersecurity professionals, and worryingly, only 34% of professionals would say they are prepared for a cyberattack.
One of the key aims of the Vote Leave campaign was to reduce immigration into the UK by removing the freedom of travel guaranteed under the EU Schengen Agreement. The result of this is that Brexit now places an even greater strain on the UK’s recruitment for skilled cyber defence professionals. In November 2015, cyber security was added to the UK skills shortage register, allowing those from outside the EU or without the right to work here, to apply for a working visa assuming they can meet the skill criteria. It is possible that this would be extended to EU citizens post-Brexit. However, the time that it will take for this to be arranged, alongside the paperwork and salaries required to attract the right people will cost the industry heavily at a time when it needs protection most.
The Brexit fall-out
According to the Lisbon treaty, it takes a maximum of 2 years for a country to withdraw from the European Union. Assuming it takes the UK the maximum time to leave the EU, it will become independent in June 2018. The incoming EU General Data Protection Regulation (GDPR), likely to take effect in April 2018, requires companies to notify the EU government of data breaches within 72 hours. Consequently, Brexit combined with the incoming regulatory changes has left many in the UK wondering what they need to do to remain compliant.
It is important to remember that despite our intended withdrawal prior to the initiation of GDPR, UK companies will still be held responsible by the GDPR. The European continent has and will continue to be a huge source of customers and trade for UK based companies, and the GDPR expects European levels of protection to be applied by all companies that store data on EU Citizens. Any companies failing to do this, and failing to report a breach within 72 hours will face a fine of up to €100,000 or 4% of their total annual revenue – whichever is greater. Additionally, the European Court of Justice (ECJ) has shown a repeated commitment through the invalidation of Safe Harbour to guarantee the protection of EU citizen data wherever it may be stored. The UK will now likely have to negotiate its own version of Safe Harbour, containing large concessions and regulations on data protection.
Following the recent passing of the Investigatory Powers Bill (IPB) by The House of Commons, many are now questioning the extent to which the UK can actually be trusted to hold consumer data. However, the incoming IPB legalises the government’s right to mass surveillance and data collection, and will likely fall foul of any agreements under Safe Harbour or its replacement dubbed “Privacy Shield”. This could prove to be a deal breaker and lead to widespread loss of business for UK companies that are no longer able to operate in the EU.
Some may hope that a new UK/EU data relationship will mirror that of the EU with Norway and Switzerland. Both have free access to European data despite not being a member of the EU as they have both implemented all existing EU Data Protection Directives. This means that the European Commission has judged that their data protection laws are adequate for protecting the rights of EU citizens, something that the IPB might conflict with. So, it’s likely that UK companies will have to comply with the GDPR regardless of Brexit, or we will see a mass exodus of data centres and other data storage companies to mainland Europe.
Borders and data sharing
One of the big questions raised by Brexit is how easy will it be for collaborative data sharing projects to continue once the UK leaves Europe? Information sharing projects are vital to the UK’s cyber defence strategy; sharing and pooling knowledge to tackle threats faster and with a higher success rate. This strategy is proving successful in the UK, with the National Crime Agency reporting that over 30,000 scenarios were shared amongst internet hosting companies and by applying this insight to existing defences, resulted in an average of 12% fewer breaches. Post-Brexit, a new relationship will now be required to unite European wide police, data sharing, and cyber security initiatives.
When considering the challenges of Brexit in the context of the UK cyber security industry there is clearly a large amount of confusion about possible outcomes. The landscape for cyber security companies in the UK will undoubtedly shift towards increased consumer protection and more stringent requirements for compliance and data protection.
What is unclear is whether this will be due to necessary compliance with the GDPR so the UK can continue to store EU citizens’ data, or if it will be due to requirements agreed in alternative negotiations entered into by the UK to enable data sharing without the need for EU membership. However, regardless of the cause, the next two years will see the UK cyber security industry face big compliance and data protection challenges. To meet these in the face of the cyber skills shortage, companies must ensure they are prepared to implement the necessary steps to continue operating and meet the requirements of changing legislation to avoid catastrophe.