The Office of the Australian Information Commissioner (OAIC) has been clear about encrypting personal data, both in its guidelines and in recent data breach investigations. But according to Chris Gatford, director of penetration testing firm Hacklabs, very few organisations are living up to expectations.
"Encrypted file systems, especially encrypting data at rest, it just doesn't occur," Gatford told ZDNet. "Ninety nine percent of organisations do not encrypt anything other than the occasional laptop."
The most common scenario Gatford encounters during pentests is where none of the target organisation's desktop workstations run any kind of encryption for end users whatsoever. That seems a long way from what the OAIC expects.
The OAIC doesn't demand encryption outright. But its Guide to securing personal information reminds organisations that they need to take "reasonable steps" to secure that information. Encryption is "important in many circumstances", and organisations need to protect data, whether it's on servers, in databases, in backups, in third-party cloud services, on end-user devices including smartphones and tablets as well as laptops, or in portable storage devices.