If security is viewed simply as an IT cost and responsibility, companies will never be truly ready for the risks they face. “If you do have an attack, it’s never just the data that you lose or the customers who are victimized, it’s [also] the larger effects that the attack has on everything else,” says Ian Patterson, CIO at online brokerage Scottrade. “It’s the marketing effects, the customer service effects, the business effects.”

How Cybercrime Is Changing
The crooks are still after the money, but they are developing more sophisticated ways of getting at it. They’re willing to hang around longer and in places where the money isn’t immediately available. For example, the breach disclosed earlier this year at retailer TJX unfolded during more than a year, as criminals accessed the system multiple times to extract customer credit card numbers, using technology that has, “to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006,” according to TJX’s annual report filed with the Securities and Exchange Commission. (For a possible way the TJX breach was accomplished, see How Organized Crime Uses Technology to Make Money.) “The new paradigm is to not make big, noisy attacks,” says Chris Painter, principal deputy chief of the Computer Crime and Intellectual Property Division at the U.S. Department of Justice.

Phishing attacks increasingly use subtle ways of gleaning information that are not apparent to even the most educated computer users. As the sophistication of the attacks continues to improve, the percentage of consumers who click where they shouldn’t has risen from 18.6 percent in 2004 to 24.9 percent last year, according to Gartner. Online crime “will spread from financial services as the use of indirect attacking grows,” says Markus Jakobsson, a security consultant and associate professor of informatics at Indiana University. “For example, perhaps you go to a funny cartoon website where it asks for information that mimics what’s needed to impersonate you on eBay.”

That threat is mounting every day. The number of people who believe or know they received phishing attacks doubled between 2004 and 2006, from 57 million to 109 million, according to Gartner. Although fewer victims are losing money, the losses per victim have more than quadrupled since 2005 and the percentage of that money recovered has dropped from 80 percent in 2005 to 54 percent in 2006. Even if victims don’t lose money, there is a cost. The Federal Trade Commission estimates that it takes consumers an average of 30 to 60 hours to clean up a credit history damaged by identity theft.