Paul Morville has heard all the horror stories.

There’s the construction company that suddenly discovered more than $4 million in payroll for its 1,000 employees had been covertly transferred to who knows where.

There’s the CEO of a big tech firm who awoke one day to discover that all the company’s computer hard drives had been solidly encrypted and an anonymous hacker was offering to sell him the key to unfreeze them for thousands of dollars.

And then there’s the biotech conglomerate that learned – via a call from the FBI – that a criminal cyber sleuth had accessed its network for more than six months looking for regulatory documents that could tip off Wall Street traders about the status of its developing drugs.

Yes, Morville, the co-founder and Vice President of Products for Confer Technologies Inc., a cyber security firm in Boston, has heard them all.

What’s most surprising, though, is that even in this age of highly publicized stories of hacking, computer breaches, and sophisticated cyber attacks, safely securing their networks and computer systems still remains a low or overlooked priority for many companies. You install Norton Anti-Virus on everyone’s computer, set up a firewall around your network and let Al in IT take care of everything.

“Unfortunately, the traditional approach has been on pure prevention – setting up a perimeter around your network to keep out the attackers,” Morville said. “But we’re realizing that no matter how secure you think your system is, you’re not going to be able to block everyone. You’re not going to pitch a perfect game every time.”

The old antivirus software tools that are still used for securing corporate information are failing, Morville says. And it’s happening just as the volume and breadth of the information companies are trying to protect is growing by orders of magnitude and has expanded both inside and outside the corporate perimeter – on servers, laptops, mobile devices and in the cloud.

So more often now companies are looking to detection and incident response solutions, rather than simply prevention tools. And they should. In most cases companies don’t realize they’ve been attacked until months after the first breach has occurred, and often the notice comes by a call from authorities who are on the trail of the cyber hacker.

“Attackers have gotten way more sophisticated and they’re attacking a much broader set of companies,” said Morville. “We’re seeing companies that didn’t see themselves as targets now realizing that they are.”

According to a report by Identity Theft Resource Center, data breaches in the U.S. hit an all-time high last year. Topping the target list were medical/health care companies, retail, trade and energy firms and government/defense contractors. Those were followed by the education and banking sectors.

And the ITRC’s numbers may be low. Many institutions prefer to avoid the financial dislocation, liability and loss of goodwill that comes with disclosure, said Adam Levin, founder and chairman of IDT911, which sponsored the report. In cases of encryption capers, companies simply pay the ransom demands to unlock their systems.

C-Suite and Boards Must Increase Focus on Cyber Risks

Cyber security experts say the broad potential repercussions of a serious cyber attack haven’t always permeated the C-suite at major companies despite the tangible costs – from stolen funds and damaged systems to regulatory fines, legal damages and financial compensation for affected parties – and intangible costs – including the loss of competitive advantage due to stolen intellectual property, loss of customer or business partner trust and overall damage to an organization’s reputation and brand.

A recent report from the professional services firm Deloitte said corporate CEOs and their boards must be fully cognizant of both the threats of cyber attacks and the methods used to deter them.

“Effective cyber security starts with awareness at the board and C-suite level – the recognition that at some point your organization will be attacked,” the report said.

Deloitte recommends that companies:

• Designate at least one C-level executive for cyber threat and risk management
• Have one or more board members that understand IT and cyber risks
• Establish a senior management committee dedicated to the issue of cyber risk.

Despite technological advances on both sides of the equation, the tried and true method for breaking into a company’s network is still through attaching documents to emails that an unwitting employee will click on, thus opening the door to attackers.

“It’s still the path of least resistance for hackers,” said Morville. “No matter how much you educate your workforce about not opening documents, it still happens all the time. The attackers use it because it works.”

You can’t always blame the employees. The cyber thieves will find a list of an employee’s friends from places like LinkedIn or Facebook and construct a realistic looking email that the employee will think was sent from a known source.

“Sometimes they’ll even be able to discover specific projects people are working on so they’ll send an email to the CEO that says something like ‘here’s that spreadsheet you asked me for last week,’ and the CEO will click on it and he’s owned,” said Morville.

Shortage of Cyber Security Experts Hampers The Fight

Perhaps the greatest challenge for businesses is finding qualified cyber security experts, as well as allocating the resources to support them. There is a dire shortage of experienced cybersecurity people. The Bureau of Labor Statistics has projected the demand for information security analysts will increase by 37 percent between 2012 and 2022. There will be about 100,000 more jobs available in the field of cybersecurity seven years from now, according to the bureau’s Occupational Outlook Handbook. Demand is rapidly exceeding the number of people capable of doing the job and many companies are reluctant to allocate the resources needed to support a full-time professional security team, even though they may need one.

As a result, more companies are turning to managed security services that can provide threat-level prevention, monitoring and response security equal to those employed by the top Fortune 500 companies for a fraction of the price. Fortunately, there’s no shortage of managed security firms and the market is rapidly expanding. Massachusetts, in fact, has the third-highest number of cybersecurity firms of any state in the country – 31, behind California and Virginia – according to the Cybersecurity 500, a global compilation of leading companies that provide cybersecurity solutions and services.

The checklist for companies considering and evaluating their computer security needs varies from the prosaic to the intricate, according to security experts:

• Choose the security framework that is best suited for your organization based on industry, regulatory requirements and contractual agreements.
• Implement a layered defense strategy that includes technical, organizational, and operational controls.
• Establish clear policies, procedures and standards that can be understood by every employee, not just IT departments.
• Implement Technical Defenses: firewalls, intrusion detection systems and Internet content filtering.
• Update anti-virus software daily.
• Regularly download vendor security “patches” for all software.
• Change the manufacturer’s default passwords on all software.
• Monitor, log, and analyze successful and attempted intrusions systems and networks.

Companies must also examine their liability and property damage insurance policies to see if they cover cyber attacks. When Sony Corp. was attacked, allegedly by Chinese hackers, one of its insurers contended it was only covered for tangible losses not cyber incidents or intellectual property losses. Cyber insurance is also a rapidly growing field. Like auto insurance, the premiums are often discounted if you have sophisticated anti-theft systems in place, and can increase substantially following a successful cyber attack. And yet, only one third of the companies surveyed recently by Advisen, a research group, said they have purchased a cyber insurance policy.

Like cybersecurity itself, insurance is something you may find out you need only after being victimized by an attack.