Brexit will not only change the physical borders of Europe but the region’s digital borders too. For CIOs and CISOs, keeping an eye on how data regulation will be affected will become an essential part of their jobs, soon. To preempt the fallout, IT executives should now focus on the practical and long-term issues of the 'Leave' decision, such as InfoSec workforce planning, hardware and software procurement and, crucially, regulatory compliance.
It seems many organisations were chronically under-prepared for the 'Leave' vote in the referendum. According to a survey by CEB, 59 per cent of UK businesses said they were relatively or very under-prepared. One thing is for sure: this same mistake cannot be repeated when Britain eventually chooses to trigger Article 50 and takes a seat at the EU negotiation table.
So, how can businesses adequately prepare for what is coming?
Think single market
As it stands, it is expected that the UK will strive to remain in the single market and continue to be part of the European Economic Area (EEA). This speculation became more concrete when newly appointed Prime Minister Theresa May stated that: 'It must be a priority to allow British companies to trade with the single market in goods and services.'
This offers some relief for UK organisations and their overseas customers that trade will hopefully be 'business as usual'. However, for CIOs and CISOs in these organisations, a lot will need to change. In order to continue trading with EU member states in the single market, UK businesses will need to adhere to key regulations, much like Norway and Switzerland do today. Now is not the time to sit on the fence and wait for the exit negotiations to start. CIOs and CISOs need to start doing due diligence on what regulations may affect their businesses and start laying the necessary groundwork for compliance.
Get GDPR-ready, now
Considering that around 10 per cent of the UK's GDP comes from its digital industry, the government should not gamble on putting this sector at risk through non-compliance. To confirm this, the UK’s Information Commissioner’s Office (ICO) has stated that regulations such as the General Data Protection Regulation (GDPR) are 'still relevant for the UK', particularly for businesses with international operations.
Although post-Brexit, UK organisations will not need to adhere to the GDPR by default, this is not a question of 'want' or 'need'. If you have international operations or even just customers in Europe, it is about business sense. The GDPR will come into force on 25th May 2018 and CIOs and CISOs need to ensure compliance. If not, their organisations could still face huge penalties or be at risk of losing business.
Within the risk element, the GDPR will introduce a duty on all organisations to report certain types of data breaches to the relevant supervisory authority and, in some cases, to the individuals affected. Timely remediation and notification of data breaches will become a focal point for CIOs and CISOs.
The compliance work does not stop there. Over the last few weeks, the European Parliament also agreed on the Directive on Security of Network and Information Systems, the first EU-wide cybersecurity rules otherwise known as the NIS Directive. This aims to establish a common level of network and information security among EU member states, primarily affecting companies operating in essential sectors such as energy or transport as well as digital service providers. This sort of cyber-responsibility has never been so legislated. All signs point to Brexit making data protection more, not less, important.
Compliance is real
Compliance does not just involve a mental understanding of policy. It is about the action of complying. Even in post-Brexit limbo, businesses must take steps to protect their customers and bottom lines against the GDPR and other emerging policies. After all, a data breach does not just set the eyes of a state legislator on you. It can also cause significant reputational damage, scaring away potential customers in the process. It makes business sense to focus on InfoSec.
So what does this involve? For one, have a full-stack security solution in place. This should cover all bases, from securing the enterprise perimeter with anti-virus and malware protection, to breach detection and modern endpoint backup tools. With 43 per cent of sensitive data now held on the endpoint according to our 2016 Datastrophe Study, protecting data at the endpoint is essential. Combining a modern security mindset with up-to-date tools and solutions will go a heck of a long way in helping with compliance.
Be prepared — that is the lesson that must be learned. While the details of Brexit are yet to be ironed out, CIOs and CISOs can only lose by sitting on their hands. The EU is increasingly committed to data protection, so any future trade agreements with the UK will certainly emphasise compliance. Start the process of adjusting InfoSec strategies as soon as possible, do not let IT spending slip, and reassure your clients that you are taking steps to adequately safeguard their data. Taking confident action now will send a sign to foreign investors and the public that your business is committed to data protection, no matter what the political arrangement.
Nic Scott, MD of UK and Ireland at Code42
Image source: Shutterstock/Sashkin