JF's log

From zdnet:

Faced with the thought of a USB drive, notebook PC or backup tape going missing, most IT managers look to some form of encryption as the first layer of defence. However, according to one storage security expert, that's largely a pointless exercise.

"I often refer to encryption as crypto fairy dust," Eric Hibbard, chair of the Security Technical Working Group in the Storage Network Industry Association, said in a recent interview. "A lot of IT managers sprinkle this on and think it makes certain problems go away."

The reality, Hibbard suggested, is rather different. "If you're doing encryption in the storage ecosystem, the pay off is very limited. A hard drive or tape drive wandering off is a real problem, but that's not a data confidentiality issue; it's a media confidentiality issue. If you're talking about sensitive information, encryption is just one tool in the toolbox. If you don't have that mated to tight authentication and access control, you're screwed."

Of course, there are plenty of reasons why such a mating isn't happening. Getting to that kind of integrated nirvana is a worthy goal, but rarely happens in IT environments where heterogeneity is a fact of life. There simply isn't time, budget or staffing expertise to bring it all together, so access control tends to be limited to the most pressing projects.

I have to agree with him: Lost (as in not-in-the-building-or-where-it-should-be) data usually means there's a problem with how the data is handled. Encryption can be a good way to prevent such data from being used by third parties due to it being mangled in such a way that it's very hard to read it.
First thing that should be done, before any USB stick is allowed into the company, those USB sticks have to be encrypted. That way, if data is lost, it's not too bad.
After that, if a stick is lost, it is time to figure out how the data was lost in the first place and make sure that it doesn't happen again. How many times has there not been some kind of data loss by one company or agency or another? If the disks are encrypted by default, the loss of a USB stick only means that the IT department will have to get another USB stick and the company will have to see to better security. If the disks are not encrypted by default, well...it could be as bad as the company going down.
Thirdly, once the layers of security (encryption layer, procedural layer and physical security layer) are implemented, you'll have one less hole to worry about.