Still, even cybercrime groups suffer from market forces. They've so flooded the cyber black market with credit card data that prices are falling. Organized crime has shifted its targets. They're after medical records, which are valuable. They target company CFOs, aiming to get access to corporate bank accounts and wire money out of them. That tactic has had success: In late July, The Washington Post detailed how stealth Trojans had been used to infect a PC used by a county treasurer, a school district and the head of a small business. Hundreds of thousands of dollars were wired to money mules who then sent the funds on to bank accounts in the Ukraine and Russia.
Targeted industries are also shifting. While financial firms make the juiciest targets, Borenstein says that RSA is seeing more activity around the healthcare, manufacturing and government sectors.
Also on the rise are call center scams. Organized criminals may get access to someone's bank or brokerage account but be unable to transfer money because of Web protections put in place by financial firms. So the criminals call customer service to complain and even bully, hoping to get help in transferring money out.
Meanwhile, social networks "are gold mines to social engineers, to someone who wants to get to the CFO of an organization to attack them," says Joshua Corman, principal security strategist at IBM Internet Security Systems. Corman says CSOs need to tell employees not to answer things like those "25 Questions" surveys that run rampant on sites like Facebook because the answers often include information used as hints for account passwords.
BATTLING BACK AGAINST ORGANIZED CYBERCRIME
Even as cybercriminals get more sophisticated, the best ways to stop them are often the simple ones. Verizon's report said that many credit card breaches occurred at firms with minimal PCI compliance. It also found that 51 percent of firms breached had never changed the default vendor passwords for equipment.
Equipment itself gets overrated by CSOs and CISOs, says Michael Levin, former deputy director of the National Cyber Security Division of the Department of Homeland Security. "They are wasting money on hardware and software," he says. Instead, they should do things like tell employees not to click on e-mail attachments and other basics. Levin has cofounded the Center for Information Security Awareness in Fairfax, Va., which has prepared the free, online awareness training offered through Infraguard, the FBI's regional effort to work more closely with private companies on cybercrime.
CSOs should get involved with groups like Infraguard or develop relationships with regional FBI or Secret Service agents and local law enforcement. They should also regularly assess their risk levels. "You have to assess every record and every piece of data in the place for its value to criminals," says Cassidy.