InfoSec Blog - The Importance of Encryption
October 11, 2019
Encryption is one of the most important security and compliance controls in securing University data by making the contents of the encrypted device unreadable in the wrong hands.
Each year, Information Security receives several reports of lost and stolen computers and mobile devices. In cases where those devices are encrypted, there is very little follow up necessary from the Information Security team or the University Privacy Officer since the data is considered safe. However, if a lost or stolen device was not encrypted there is a large amount of work ahead to understand the potential impact to the University, both from a financial and reputation perspective. For the owner of the lost/stolen device that will mean:
- Interviews with Information Security and Privacy Officer to understand what information may have been included on that device, including in email and data stored locally,
- Filing of a police report with Campus Community Police and/or law enforcement where the incident occurred, and
- Creation of a Privacy Incident Report (https://www.uoguelph.ca/secretariat/sites/uoguelph.ca.secretariat/files/public/2018_privacy%20incident%20form%20%28fillable%29.pdf).
If the threshold of risk is high enough (and we always have to assume the worst-case scenario), the University may also be required to:
- Notify the Information and Privacy Commissioner of Ontario,
- Notify all impacted individuals (students, staff, faculty, etc.) of the breach,
- Involve Communications and Public Affairs to handle any external communications including media, and
- Engage the University’s cyber insurance provider for additional breach support or financial coverage.
In cases where there is the potential for further harm (such as financial, reputational, or identity), this may lead to additional costs or actions to be undertaken by the University, such as purchasing identity protection services and insurance for affected parties.
CCS has made strides to make the encryption process more reliable, less impactful on users, and easier to support for Managed Desktop and Managed Desktop Shared Services customers. As you can see from the list of items above, simply encrypting devices reduces the risk for the University and can save everyone a lot of time and headaches in the event of a lost or stolen device.
In all cases, it is important to notify Information Security as soon as you become aware that a device has been lost or stolen.
Written by: Stephen Willem (Chief Information Security Officer)