The news on the IT security front is alarming. Recent months have seen one report after another of companies exposing, selling or simply losing customer data to criminals.

The reason: The security threat has changed, according to Bruce Schneier, CTO of Counterpane Internet Security Inc., of Mountain View, Calif.

In the past three years, he says, "criminals have taken over from hackers." The latest twist in cybercrime is online extortion.

The August 2 issue of "Newsweek International" reported that online gambling sites have been hit by extortionists who threaten to shut down their Web sites with denial-of-service attacks unless the gambling sites pay off the blackmailers.

Resource Library:

According to Alan Paller, director of research at the SANS Institute, an IT security educational organization located in Bethesda, Md., banks and online retailers have also quietly paid off online extortionists, whose demands have, to date, ranged as high as $1 million.

And in June, the U.K.'s National Infrastructure Security Co-Ordination Centre warned that Trojan horses (transmitted by e-mail or through Web sites) that appear to come from legitimate sources, and so can evade antivirus software and firewalls, were specifically targeting individuals who work with sensitive "commercially or economically valuable information."

Click here to read about how some customer data may be too risky to keep.

The latest update from IBM Corp.'s "Global Business Security Index" indicates that such targeted attacks are a fast-growing percentage of the 237 million infected e-mails and attacks perpetrated in the first half of 2005.

In light of these reports, our latest security survey of nearly 300 IT executives presents some pretty grim findings.

Three out of ten respondents admit that their company's attitude toward security has become more relaxed as the events of Sept. 11 fade into the past.

Two-thirds report some kind of security breach, from penetration by viruses or spyware, to lost data and inappropriate access.

And while security experts are encouraged to see that the sort of carelessness and negligence that lets hackers and thieves get past a company's defenses is now recognized as the top security issue problem.

"It's a good sign, a sign we're starting to see CIO awareness match actual risks," says Counterpane's Schneier.

Still, many companies aren't taking steps to improve awareness and education.

This last problem was also identified as a major concern in both Ernst & Young's 2004 "Global Information Security Survey" and in Deloitte's 2005 "Global Security Survey" of major financial services companies.

"What's disturbing is that while employee negligence is a big concern, training and awareness programs are not high on the radar screen," says Ted DeZabala, a principal in the security services group of Deloitte & Touche LLP, in New York City.

The IT executives and experts we spoke with agree that defending companies from attack and theft requires more than deploying security technology.

"It takes a combination of people, processes and technology, not one thing," says David Siesel, the CTO of the direct marketing group at Harte-Hanks Inc., a $1 billion media company based in San Antonio.

So why the reluctance to invest in security awareness and training?

Next Page: Increasing awareness is not enough.