Among all the black boxes at IFSEC, a man from the charity sector made his voice heard.
He was Phil Durbin, head of corporate systems for The Salvation Army. He spoke on the final, Thursday afternoon of the show, about the rise of consumer IT and ‘bring your own device’ (BYOD for short). After his talk, Professional Security asked him, what brought him to IFSEC, a security event? He said: “The IT fraternity holds the key to security as we know it in terms of data, particularly with ‘Big Data’, with mobility, and with Cloud; it’s all IT.”
Technology the easy bit
Durbin is strongly in favour of people bringing their own device to work, and in his talk pointed to industry research that if you don’t let people do that, they will do anyway, which could give you even more IT security problems, as you won’t know what’s on your network. But as he told Professional Security, getting the technology right ‘is the easy bit, the most difficult bit is the educating of our users to be more security-savvy. Yes, it is important that we get the technology right, but it’s about education. Because actually you can spend far too much money trying to make everything 100 per cent secure and some will find a way in; either accidentally, they will stumble across a way in, or they will do it out of spite, to be provocative. And however many millions you actually invest, no technology will ever keep everybody out’.
The third sector
Significantly Phil Durbin went on to describe what’s special to charities, or ‘the third sector’, to mark it apart from private business and the state. The last time Professional Security featured charities at length was in 2012, and Brian Shorten, risk and security manager for Cancer Research UK. Much as Shorten pointed out, Durbin spoke of how charities have to invest in IT security while those who have donated to the charity may ask, ‘why are you spending so much of our money on IT security?’. In other words, charities have their mission, ‘so we have to be very careful in the charity sector; we cannot throw millions at technology. So we do rely on education and trust.’ Whatever charities spend has been hard-earned by someone, Phil Durbin added, and given out of kindness: “They haven’t given us the money to spend on IT, and IT security, they have actually given us that money to spend on the charity.” The Salvation Army defines its effectiveness not in how secure it is or how many PCs it has, but in how many homeless or trafficked people or people with addictions it is helping. IT and IT security is service offered to people on the front line of social care, he went on: “If you like we are servants to our social workers, our project workers and our church ministers. And so we try to provide them with the tools to enable them to do their job far more effectively and make a much bigger impact on society.” While physical security is not his field, he agreed the same applied; Salvation Army buildings needed access control and so forth, but that (as he explained) the right balance is required between security and accessibility, ‘as we open our facilities to the local communities’.
Generation Y
In our June issue we featured the various ‘Generations’ that may have yet to come to terms with IT, or have embraced it, or have grown up with it and take it for granted. In his talk, Phil Durbin spoke of an increasing number of people with their smart phones, ‘all the time, wherever they are, and whatever they are doing’. He suggested that many employers were in denial about BYOD; and IT departments had opened their eyes, that something had to be done. Corporate networks were not impenetrable; rather, they were open to being compromised. He spoke in terms of risk; there are risks attached to rolling out a BYOD strategy, but equally risks if you don’t roll out such a strategy: “I believe risks are greater if we don’t roll out that strategy.” Such as: apps that bypass network security, or perhaps piggy-backing on an application already accepted, or not keeping up to date with IT security patches. The top three risks for him were stolen devices; adware and spyware that may collect data; and cloud-based storage not as secure as you might require, or realise: “Yet how do we stop their use?”
Salvation Army rules
The Salvation Army enforces an eight-character passcode, which has to include at least one numeric or special character, ‘which has to be renewed every 90 days’. If a device is unattended for ten minutes, it locks. And the Army enforces encrypted back-up of BYO. As Phil Durbin put it – making a reference to Star Trek: The Next Generation – in the words of the Borg, ‘resistance is futile’. In his words: “BYOD is inevitable; don’t fight your staff.”
About Phil Durbin: 24 years in IT in charities, including 15 at Unicef. He’s secretary of the Charity IT Leaders, CITL for short, a UK networking group. Visit http://www.charityitleaders.org.uk/.
