3. Proper implementation of encryption
In the end, it's not the algorithm that matters most, but how it's implemented. To that end, it's also best not just to rely on someone else's battle-tested algorithm, but someone else's battle-tested implementation for same. A well-audited third-party encryption library is always a better choice than rolling your own, and someone else's well-used encryption container will almost always be better made than the one you hack together.
That said, it isn't always true that the more broadly used something is, the more widely it's been scrutinized. The above-mentioned TrueCrypt is a good example: Though it's one of the most widely implemented third-party disk-encryption systems out there, major questions have lingered about how well it's put together or whether or not a backdoor of some kind is squirreled away in the code. A third-party auditing fundraiser has since been put together to find out what's going on, although some preliminary research shows TrueCrypt is probably OK.
What's toughest of all to determine is whether or not encryption of a remote resource is valid or even taking place. If encryption happens only on the remote server -- that is, if it's not encrypted on the client, then sent -- it's tough to prove anything is happening. Lavabit came under criticism for its implementation of encrypted email, which it claimed didn't provide anything it hadn't promised but was still disappointing.
Finally, the biggest problem with any implementation is that it's only as good as its ultimate implementer: the end-user. A user who pays no attention to the possibility of keyloggers or spyware on their system, both of which can be used to harvest passwords, won't benefit from any strength of encryption.
In sum, good crypto is akin to a chain: It's only as strong as its weakest link. As we become more dependent on encryption in most every aspect of our IT-powered lives, every link in that chain deserves the deepest possible scrutiny.
Sign up for CIO Asia eNewsletters.