Banking and finance, nuclear power, air traffic control, health care and other critical industries are required by law to report certain types of security breaches or data loss. If you don’t know what laws apply to your company, you should find out before you’re attacked, Rasch suggests. You may also be required under contract to report attacks or breaches.

The "right thing to do" isn’t as easy to define. Rasch and other security consultants say there are certain instances when you absolutely, positively should call in law enforcement. Things like bomb threats and child pornography should never be swept under the rug, not only because of the potential damage to human life but because a company can be held liable for such behaviors from its employees. Further down the severity scale are cyberstalking, extortion threats, denial-of-service attacks and the proliferation of viruses.

The toughest call to make is determining your bottom-line impact, says Rasch. If your company loses trade-secret data to a random 15-year-old hacker, it may be better to handle the matter privately instead of risking a public relations fiasco. "But if it’s a competitor who now has the blueprints for your new widget," he says, "it becomes very important for you to find out who did it."

The problem with that reasoning is that during an attack or at the moment you detect an intrusion, you’re working blind, say law enforcement officials. You can’t know if you’re dealing with a random hacker or an underhand competitor until afterward. That should be reason enough to quickly call in reinforcements.

"If there is destruction or loss or theft of data, if there is a loss of $5,000 or more for a nongovernment nonfinancial institution, if there’s been a root-level compromise or a denial of service, you should call," says Doris Gardner, supervisory special agent in charge of the FBI’s Charlotte, N.C., Regional Computer Crime Squad. As clear as those guidelines sound, Gardner and her counterparts in other task forces acknowledge that there won’t be an increase in the number of crimes reported until they address corporate America’s three biggest fears?the loss of control once they call the cops, being played for fools in the national media, and that in the end the feds will fail to catch the perpetrators or return a conviction.

Fear One: Loss of Control

Gardner is emphatic when trying to reassure nervous companies that an investigation will not spin out of control. When agents start examining evidence, she explains, they will most likely begin with the servers and inspect the logs to try to determine who touched what parts of the system and where they were coming from. A company’s IS staff members are vital players during this type of investigation. "You’re going to be involved," she says. "It’s a partnership."