This is a guest article written by Rebecca Moran. The author’s views are entirely her own and may not reflect the views of IT Governance.
Are you nervous about the Brexit? Uncertain about the way forward for your organisation? Probably. That’s being felt right the way across the UK: uncertainty.
The recent referendum that saw a majority of the United Kingdom vote in favour of leaving the European Union has sent shockwaves across the world. Organisations preparing for the General Data Protection Regulation (GDPR) are now wondering what could be next.
The Information Commissioner’s Office (ICO) has been clear: if you want to trade in Europe, then your data security needs to be up to scratch, and by ‘up to scratch’, we mean compliant with the GDPR. It looks as though the ICO will push for a reform of data security law now that the ‘out’ vote has been made, which means it is likely that the GDPR or a very close version of the Regulation will gradually push through the UK’s legislative processes. I have also heard some speculation that the UK could create a radical new framework of its own. It’s a very interesting time.
Whatever the legislation, you can bet your bottom dollar that the changes will ensure more stringent controls for data management inside and outside the UK.
Cyber crime hasn’t changed
We need to remember one thing: the threat to information security has not changed; there are still criminals who want to infiltrate your networks, infect your systems and steal your information. There are still criminals who will use email, phone and text to extract information from your employees and exploit it for their own gain – the referendum hasn’t changed their desire, their techniques or their motivation. They’re still after your information assets; they never stopped – or even paused – for the sake of the vote, and nor should you.
The General Data Protection Regulation (GDPR) lays out a host of requirements for the protection of personal data. It’s generally viewed as a step in the right direction for fighting cyber crime, and, in my opinion, it is the best thing to happen to information security in a long time.
Even if the UK does exit the EU, we’ll still have to abide by the Regulation if we want to do any kind of business with the continent. The best thing for your organisation is to embrace it and move toward GDPR compliance; it’s the best thing for your company and it’s the best thing for your customers.
You can expect that the ICO will lobby for a similar regulation to be put into place here in the UK, and you can get well ahead of the game by continuing with your GDPR compliance plan. Haven’t started yet? There’s no time like the present.
Business as usual
We shouldn’t let Brexit have an impact on security: we keep on detecting and preventing, and we continually improve. It doesn’t matter where in the world you are, which ‘club’ you belong to or what laws you have in place. The bottom line is that, if you have sensitive information, the criminals want it, and you need to protect your business.
There is some speculation that Britain will become more vulnerable to cyber attack because there will presumably be less sharing of intelligence. This simply means we should up our game. I hope to see the British government take the bull by the horns and secure sufficient funding for Britain’s cyber defences. The threat is very real, but whether that threat has escalated as a result of the vote remains to be seen.
One thing that should concern us all is the serious lack of cyber skills, because Europe has traditionally been a treasure trove of security professionals for the UK. We have a lot of foreign IT security staff working with us in Britain, and they are needed as the UK has a well-publicised tech skill shortage. Furthermore, while most University funding currently comes from Europe, we need to see the UK Government commit to funding the next generation of security professionals.
This is where businesses can help: it’s time to start developing the staff you already have. If you have IT staff, auditors or developers, now is the time to start expanding on their education to get the security skills you need. Use consultants to get the best you can from your current employees. Get to know your staff and what their interests are; you may be employing someone with a set of skills you had no idea about because they class it as a hobby. These are the people you can develop: people who already have a base level of knowledge to branch from. It’s money well spent.
We also have to consider that despite the voting outcome, the UK’s exit from the EU will not come immediately. It will take a couple of years at the very least, so, while we wait for government entities to sort out their direction, and put new policies and agreements in place, we must carry on protecting our people and their information. We must continue to do our jobs. We must continue to do the right thing.
The Brexit isn’t the end, it’s just a change – one we will deal with head-on.
Learn from the experts
Delivered by an experienced data protection consultant, our GDPR training sessions are built on the foundations of our extensive practical experience gained advising on compliance with data privacy laws and related information security standards such as ISO 27001. Discover more about IT Governance’s EU GDPR Training Courses