The first half of 2011 has seen cybercriminals making headlines and wreaking havoc with major data breaches. For IT folks, every day likely feels like a fight to protect your company’s valuable data and you may begin to wonder if this is a battle that the good guys can win. My take is yes we can. But to do so, requires being one step ahead of the criminal minds.

The latest news on the malicious attacks front involves W32.Qakbot. Even though this worm has been around since at least 2009, people and organizations continue to be affected by this threat on an ongoing basis. Why? Because the malware authors behind Qakbot are aggressively seeking means to push this threat to a wider number of victims.

During the past few months, there have been high levels of active development from the malware author’s side with the intent of circumventing detection techniques used by various security software.

There’s little question that enterprises and consumers are facing increased threats from cybercriminals. It seems that every day, we are hearing about another government entity or large business being hacked and losing files in more insidious ways.

Encryption has been the standard technology for decades to protect data wherever it is – in motion, in use and in storage. For years, 1024-bit encryption has been popular to protect sensitive commercial and government data. Given the constant advancements in computing power, however, it’s a given that encryption that is good enough today will not be good enough down the road.

In anticipation of this need for ever-greater security, the National Institute of Standards and Technology (NIST) has mandated the adoption of 2048-bit encryption by the end of 2013. This announcement, however, does not mean that 1024-bit encryption is no longer sufficient today. The fact remains that 1024-bit encryption has never been cracked – and it would take millions of computers and a couple years to break just one code at that level.

Not too many years ago, drivers often allowed their social security numbers to be printed on their licenses. Today consumers are wise enough to avoid that, yet they trust dozens of businesses with equally sensitive data such as their name, birth date and email address. That data is not only valuable to the organization, but also to cybercriminals looking to profit from careless security practices.

Enterprises are learning the hard way how vital it is to protect their customers’ data, with more and more businesses suffering black eyes in the media from recent data breaches. Hackers are quickly learning to steal and exploit whatever data is not well protected, instead of solely targeting financial information. Because of attack vectors such as phishing, these cybercriminals can utilize something as seemingly harmless as an email address to create a targeted attack designed to coerce people into giving up more valuable information.

One thing gaining traction in PCI DSS is the notion of tokenization, which uses a unique identifier instead of the credit card data after its first use in an authorized transaction.  Afterwards, the actual card data is stored in a centralized, highly secure server called a “vault” and a token is used in its place.  This approach removes the actual card data from the applications and systems when it isn’t needed and reduces the amount of Cardholder Data Environment (CDE) that’s in scope for PCI. This, in turn, makes it easier to manage and meet PCI compliance!

Why?  Because if a system, application or host doesn’t actually store or process card data—remember, they’re using a token instead—then it may not be in scope for the PCI environment.  This may significantly reduce what “things” are parts of the PCI environment.  Another advantage of PCI tokenization is if an attacker compromises the system and obtains this token,  it isn’t card data, thereby, reducing the impact of a data breach.