"If you can increase their costs, hopefully they'll move on," he said.
New threats are coming from nation states that include cyberattacks as part of their defense plans. In some instance, these countries are funding attackers and using them as "cybermercenaries," he said.
Morrison is also looking to increase the use of two-factor authentication and decrease reliance on passwords.
"Password are a complete waste of time," he said. "They are the equivalent of signing the back of a credit card."
Passwords need to be 14 or 16 characters long to offer protection, he said, so people write them down to remember them, which places them at risk of being misused.
Trying to control employees use of USB-equipped devices to transfer data is another ineffective security measure, Gilmore said.
Identifying USB devices is challenging, he said, noting that the technology is found in common items like pens and watches.
"Data is ubiquitous, easy to transfer," he said. "How do you keep them from using USB? You don't."
Instead, companies should implement policies that make workers not want to steal data, and consider how to contain damage if information is leaked.
Businesses hiring IT security professionals should find candidates who think like the enemy, since cyberscofflaws don't follow rules.
"You need to have people that think like attackers," he said.
Sign up for Computerworld eNewsletters.