Murray points out that our combination of brainpower, dexterity, endurance and other characteristics mean that despite not having a particular specialisation "we can do pretty much anything any other animal can do, well enough [to prevail]."

So where one person without modern weapons might be easy prey for a bear, 10 people with primitive weapons can take down a bear.

Humans have adapted to predation, but aren't so good at defence.

For example, centuries ago, people built castles as protective structures. But other people quickly worked out multiple ways of attacking a castle: climbing over the walls, tunnelling under the walls, poisoning the water supply, cutting off the supply of food and other essentials, and so on.

"That's exactly the situation in cyber scurity," Murray told iTWire while he was in Melbourne for the Australian Cyber Conference. "People are out there trying to get your stuff... [data] is the new spoils of war."

"Defence is high effort... [and] very hard to implement," he suggests.

It's not as if this is a new problem. The earliest known example of two factor authentication dates from around 54 BC, he says, and combined the use of a Caesar cipher (requiring knowledge of the offset used) and a scytale (requiring possession of a tapered rod of the correct dimensions in order to read the enciphered text correctly).

But IT increases the stakes due to the massive amounts of data that can be extracted once access has been gained.

Asked about the implication for security roles, Murray said "Most of my team are predators – that's what they're paid to do. After 10 years or so, some of them move into Blue Team (defensive) roles, where they address their new responsibilities by asking 'how would I break in?'

For example, when BlackBerry conducts code reviews on behalf of clients it finds 'time bombs' (pieces of code that are designed to cause damage after a certain date unless updated by the malicious developer) "all the time."

IT workers generally need to "put up as many walls as you can" in order to "be a hard target," he recommends. (The idea of layered defences has gained considerable currency in recent years.)

This is especially true in industries where you find many people, he says. Places like airports and hospitals involve lots of people in lots of roles, and many outside service providers.

Patient records are particularly attractive, so healthcare providers tend to store only essential data in order to reduce the risk.

Murray predicts that in the future, people will be more likely to ask what they are actually getting in return for allowing organisations access to their data. There is currently a widespread assumption that everybody is being profiled, so there's no point worrying about it, but he thinks today's young people will change their minds about this as they accumulate assets that are worth protecting, and "there will be a shift in consumer approaches to data in the next ten years."

People are beginning to move back from mobile apps to the corresponding web sites as a way of increasing their privacy, he says.

If people remove their personal data from the "corporate treasure trove" (or at least stop it going in there in the first place), and then the bad guys will go after something else.

"Commerce won't stop, but it won't be feeding off individuals," Murray predicts.