A doctor uses his iPhone to send a medical image to his colleague. A sales representative pulls up a purchasing history on her laptop as she talks with a customer. A data scientist inputs sales numbers, company budget information and customer demographics into an analytics program. They all have a few things in common.

First, they're all becoming a part of the way organizations streamline processes and add value to the people they serve. Second, they're all examples of how data security has become significantly more complex than it use to be. Cybercriminals have the opportunity to steal sensitive information anywhere it is stored and any time it travels from one device to another. Jerry Jean, Chief of IT Security at McGill University Health Centre spoke on this issue at the Malware 2012 conference.

Jean discussed data protection as it relates to healthcare, suggesting that security professionals must adapt their strategies to account for modern threats, ITProPortal writer Neil Rubenking reported. Antivirus software falls short in a number of ways, according to Jean. It can tell users that a machine has been infected and that it was later cleaned. However, it won't provide information on what the malware did and how long it was there. Important questions such as whether any sensitive data was compromised go unanswered, Jean noted.

"Rethink the model! Don't reinvent the wheel, and don't just make the wheel run better." Jean said at the conference. "The criminals are being very creative and very innovative. They will rethink their model, and you'll have to catch up. Instead, how about you find new techniques and make them catch up. We're moving away from protecting devices to protecting data. First protect my data, then protect the device. Finally, understand the business you're working with."

It's good to have solutions in place that reinforce the digital walls surrounding organizational data. Perimeter-based solutions can prevent a significant number of threats from breaching the system, but every organization needs to ask what would happen if something does breach those defenses.

As Jeans' comments suggest, a large portion of information security is data-centric. This was further enforced by Verizon's 2012 Data Breach Investigations Report, which said that the majority of victims (59 percent) only find out sensitive information may have been compromised when a law enforcement entity notifies them. Another 26 percent of organizations discover they've been breached when a third-party fraud detection service issues an alert. This means that attackers often have unrestricted access to sensitive information for long periods of time, but, if that data is encrypted, it is useless to anyone without the encryption key.