What Brexit Means for The Cybersecurity Industry
In late June, the United Kingdom (UK) held a referendum on whether or not the UK would continue to be a member of the European Union (EU). The UK voted to leave the EU, a decision dubbed as the ‘Brexit.’ The initial consequence of the Brexit looked grim and despite some recovery, the fallout is still ongoing. Worldwide stocks plummeted, as did the British pound and credit rating agencies have downgraded the UK. While global stocks have largely recovered, the British Pound (GBP) is still feeling the pain of the decision. But how will the Brexit decision impact the information security industry?
With a decision so far-reaching and impactful, we’re taking a look at the short, mid, and long-term consequences.
Short-Term: Spam Attacks Are Up, Spending Is Down
Almost immediately after the Brexit decision was reported and confirmed, Symantec researchers reported that spam emails with the word ‘Brexit’ in the title, such as ‘Brexit causes historic market drop’ were up 392%. The malicious actors sending the emails took advantage of the concern and insecurity of the situation, targeting employees and enterprises in the UK.
The massive GBP drop has weakened the economy and many reactions predict it will cause a reduction in IT spending and, similarly, cybersecurity budgets will likely take a toll. Gartner’s forecast on UK IT spending for 2016 placed it at 1.7 but they noted that ‘the Brexit will drop this figure between 2 and 5 percent’ revising their forecast to a negative growth in UK IT spending.
Most recently, the EU passed their first cybersecurity law, which among various things, requires businesses to disclose data breaches and increase their security information sharing in order to bolster security for the entirety of the EU. This law was passed after the Brexit vote so it’s unclear whether UK will adhere to it, forgo the law, or pass a similar law modeled as the transition details are still being planned.
Most likely, the UK will comply with these new standards and any others for the near future as they have two years to negotiate the specific Brexit terms. Which brings us to our mid-term outlook.
Mid-Term: The UK Is Both In and Out of the EU
For at least two years, according to Article 50, the UK will still be part of the EU as the discussions on how the UK leaves EU are finalized (known as Article 50). However, if all the UK states agree, there may be an additional time imposed in order to complete the transition, which is likely to happen given the fact that it took Greenland three years to exit the EU and they were a much smaller country in a multitude of ways.
What this means is that for at least two years, the UK will still follow EU’s suit on cybersecurity. Nick Stringer’s post regarding Brexit, privacy, and data protection notes that many of the existing laws in place such as the UK Data Protection Act, Privacy and Electronic Communications Regulations (PECR) and the General Data Protection Regulation (GDPR) will continue to be in place during this negotiation period.
After the UK officially leaves the EU, many of these laws, regulations, and frameworks will likely be in place, either as strict adoptions or as new frameworks modeled after the existing ones. However, as new rules and regulations are put in place, as seen with the passing of the EU-US Privacy Shield, a data protection law aimed to protect consumer information by limiting surveillance, the UK will have to develop their sets of rules and regulations. This is a process that will be more time consuming for both the UK and any other national body that is involved in a regulatory decision. For example, now the US and the UK must come to a conclusion on the limits imposed on consumer data surveillance due to the Brexit decision.
When it comes to the laws in place and currently being passed regarding data protection and information security, UK citizens, businesses, and enterprises may not find too many differences in how they should be engaging with data and ensuring they’re protected and made private. However, as discussions and negotiations ensue, it becomes clear that no one yet knows what exactly will happen with the UK as Brexit terms are finalized. And that poses a problem in and of itself in the long term.
Long-term: Uncertainty Increases Risk
Many of the economic downsides to Brexit also affect the information security both directly and indirectly. And a large majority of the reactions from decision-makers that will impact those industries come from the fact that no one is sure as to what will happen as UK negotiates and transitions out of the EU.
The loss of employee mobility and freedom for UK workers in the EU and EU workers in the UK as part of the Brexit decision will have huge implications for London’s burgeoning startup and tech sector. The lack of in-house cybersecurity talent is a big issue for many security companies. An MIT’s survey on cybersecurity challenges reported that nearly 40% of business and IT leaders surveyed considered the lack of in-house security talent as a top challenge. This problem will be exacerbated now that the UK won’t be able to easily secure talent from the rest of the EU.
Taking a wider industry-level perspective, many cybersecurity firms are based in London (they even have a cybersecurity incubator) and the largest investor in UK venture capitals is the EIF (European Investment Fund) which is likely to go to other cities with a large tech and startup presence that is a part of the EU, like Berlin, Paris, or Amsterdam. Overall, the cybersecurity industry is poised to shrink and migrate from the UK given these new challenges.
As the UK loses their obligation to adhere to any cybersecurity and data protection regulations, they may change the terms of their information sharing or reduce their information sharing, which can negatively affect cybersecurity for all parties involved. Even if the UK decides to keep the same standards, adopt new ones based on the EUs, or develop their own standards better than what exists now, the uncertainty of the entire situation is a risk that many security companies, investment firms, and potential employees aren’t willing to take. Until more specifics are developed and planned, the UK might lose its place as one of Europe’s major information security hub.