Encryption myths and realities

Encryption myths and realities

University of Alberta faculty, staff, and post-docs are required to encrypt their mobile devices used for university business. This mandate allows us to be compliant with Government of Alberta directives and the Privacy Commissioner. 

Many people think that their laptops are secure because they are password protected. Unfortunately, if your laptop gets stolen, a password is not an impediment for someone who wants to read your data. You must go one step further – encrypt the data. Encryption is a one-time activity, is easy to do, and does not harm the performance of your computer. If a thief tries to read your encrypted data, all s/he will see is garbled information.

Historically there have been some misperception and apprehension about using encryption technology. Gordie Mah, the university’s Chief Information Security Officer (CISO), has prepared a set of common misconceptions and realities about encryption. Hopefully reading the following text will answer many of the questions being asked. 


Common misconceptions about the university’s Laptop Encryption Initiative
Misconception:
Encryption slows down laptops and impairs computing performance and processing.
Reality:
After the initial process of encrypting the laptop hard drive is complete, the impact to your laptop performance is negligible with no noticeable impairment.

Misconception:
Enabling and configuring encryption is complex and requires significant resources, time, costs, and effort.
Reality:
As the university recommends the encryption tools already built-in and included with your laptop’s operating system (for Windows and Mac), the configuration steps are straightforward. The encryption tools are free. In most cases the unit’s IT support will enable the encryption. The actual steps do not require much time, and you can still work on your laptop while the initial encryption of your hard drive is processing. 

Misconception:
Encryption requires extra actions and more time to log on/off and use the laptop.
Reality:
Encryption on your laptop is transparent to you. You log on to the laptop using a login ID, just as you did before. You will not experience any changes in using your laptop.

Misconception:
Laptop loss and theft does not occur on campus and this is unlikely to happen to me.
Reality:
The university has several lost and stolen laptops every year and global research reveals that there’s a one in ten chance you will lose or have your laptop stolen this year.

Misconception:
I am not bound by any legislation requiring me to adequately safeguard information on my laptop.
Reality:
The Alberta Office of the Information and Privacy Commissioner and information management legislation such as FOIP, do require information custodians to adequately protect personally identifying information. The privacy commissioner specifically mandates laptop encryption for custodians of personal and sensitive information. 

Misconception:
The university hastily conceived the laptop encryption initiative and mandate and does not consider the needs of faculty and staff.
Reality:
The laptop initiative took more than a year and a half to design in order to ensure the solution meets legislative, best practice, privacy/security, and business needs. The project team consulted other universities, conducted thorough testing, conferred with legislative bodies, worked with university stakeholders, and sought a transparent solution. 

Misconception:
Laptop encryption is all I need to adequately safeguard university information
Reality:
Encryption is only one among a number of other controls and best practices that together can adequately safeguard university information. 

Misconception:
I do not have to log in to my encrypted laptop when requested to by customs agents or law enforcement.
Reality:
Cooperating with and logging in for customs agents and law enforcement is highly recommended. These agents can detain you and your laptop and escalate their directive for failure to comply in this case. 


For more information, please visit the Mobile Device Security website and read the Mobile Device Security Best Practices document.

These myths and realities were first published in the Encryption FAQ on the Colloquy Blog.

Thank you,
Gordie Mah
Chief Information Security Officer (CISO)

Posted by admin