Encryption Isn't Everything

Shannon Kellogg, director of government and industry affairs at RSA Security, recently recounted a decision by a federal agency to encrypt everything (systems, emails, devices) to avoid the dreaded security breach that so many other agencies have reported. Apparently, after the decision was made, a contractor working with the agency (Kellogg declined to name the agency or the contractor) accessed sensitive information while on the network, saved it on a USB memory stick -- and then walked out the door. Kellogg didn’t say if the agency reported any data loss â€" but who's to know? Exposure is exposure, and the risks still apply.

This story certainly isn't unusual, but it bears repeating because this plays out in every agency routinely. Among the most important lessons that can be learned may be to avoid knee-jerk reactions to security threats -- such as believing an encrypt-everything policy will insulate you from security breaches. Such policies are, by definition, reactionary â€" not strategic. Encryption â€" like any security strategy â€" works in specific circumstances, but should not be the end-all-be-all security policy.

And this lesson comes from a security vendor.