What does Brexit mean for data privacy and cyber-security?
- Published: Friday, 01 July 2016 12:07
The result of the UK referendum was clear, more than a million people tipped the scales in favour of Leave. There will be at least a two-year period (some say five) before the UK decouples from the EU. It will be a time of profound uncertainty and many are concerned about its effects on cyber-security and data privacy.
So are we likely to see an uptick in cyber-crime as a result of Brexit? Whatever the outcome of UK negotiations with the EU, this will be a period of change and for hackers change creates opportunities. As Ken Munro at Pen Test Partners says: “Scammers are nothing if not opportunistic, any point of change creates an opportunity for phishing attacks…there is a potential for invoice fraud, scammers can step in.”
Ilia Kolochenko, CEO at High-Tech Bridge based in Geneva has another concern:
“A recession in the economy may cause serious problems in all industries, including cybersecurity. It's not only about potential lack of new investments and corporate income, but also about more aggressive competition on the market.”
On a practical level, to prevent consumer fraud in a changing world, it is incumbent on businesses to validate any request to alter a client’s banking details and there is a need to make clear what is a valid request to a customer and what is a phishing email or scam.
Munro again: “For the consumer any message from a business to their customers must be really carefully thought out. Customers are expecting change, the scam emails go out, and all of a sudden people are losing money.”
There are worries that Brexit could also mean a loss of threat intelligence and less intelligence sharing between the UK and the EU. However, it is highly likely there will be a pragmatic arrangement between the UK and the EU on such matters. Kolochenko is optimistic: “Formally, data exchange may become more complicated, however I don't think that anyone has an interest to stop or reduce the volume of threat intelligence sharing with UK. Even if old alliances and procedures are cancelled, new ones will appear pretty quickly.”
The European Union has released new guidance on how companies operating in Europe should protect customer data. In less than two years, all organizations will have to comply with this General Data Protection Regulation (GDPR).
This regulation is generally welcomed by the security industry, but as with all EU regulations it will vanish from UK law once we leave. Kolochenko doesn’t see a problem here: “If the UK decides to develop and adopt its own data privacy law, quite probably it will be fully compatible with GDPR.”
But Ken Munro is apprehensive that once freed from the shackles of EU law, the UK government could use this opportunity to enact much less regulation “so as to encourage investment and business.” If that were the case, he fears that privacy might suffer. “We are in a good place for data protection right now and can only get better with GDPR. Once out of the EU we would need to produce something on a par.”
For businesses Ken Munro is clear that the upper echelons of management must take responsibility for customer data. “Data protection has to be a board level effort; someone on the board must own data privacy and data protection.”
Jim Preen is head of media at Crisis Solutions.