Regulators and security strategists recommend encrypting data at rest, but few organisations do it, and most get it wrong. Good thing there are bigger problems to tackle first.