infosec4all.com

This is a great example how security process can be confused with security instruments. It is also an example of security theater  – security for security’s sake. Even if it was in place at the time of the incidents, encryption would not prevent them. This was obviously a human error. Firewalls, antivirus, IDS, IPS, encryption, and whatnot are just security instruments or tools. True, equally important and necessary, but they do not work without security processes in place.

“A June 23, 2006, memo … authored by the Office of E-Government and Information Technology, directed agencies to encrypt all agency data kept on mobile devices within 45 days. ”

Millions, if not billions, spent on encryption technologies will not mitigate the risk of such security risks. But such expenses are much sexier and much easier to justify, then for example user education, policy implementation, etc. This is what makes people feel better and (falsely) more secure.

On the other side of the law, the bad guys do not care about sexy technologies. They will keep looking for and keep attacking the weakest links. When was the last time you heard about a security breach where the bad guys broke encryption itself?