The computer break-in was unique only in that it was widely reported. Businesses lose an estimated $10 billion or more annually due to security breaches in their computer systems, according to the Computer Security Institute, a San Francisco-based association of information security professionals. But you aren’t likely to hear about them. Companies rarely go public with news of a computer break-in for fear of scaring off customers or damaging their brand name.

Jeff Drake, executive vice president and co-founder of Access360, a privately-held security-software company based in Irvine, Calif., says a high-ranking executive at one of the companies he worked with once admitted to the press that Access360’s security audit revealed his company’s Web site had 80,000 invalid users IDs in its system. “Needless to say, he is no longer allowed to talk to the press,” says Drake. “Companies are not interested in going public with this information.”

As Internet usage grows at home and at work, computer security breaches have also risen significantly–particularly in the past few years. In the case of The New York Times, Adrian Lamo managed to view hundreds of the newspaper’s files, even accessing a database of Times op-ed page contributors containing personal information. Lamo didn’t do any damage, beyond embarrassing the newspaper. He even offered to help fix the “leak.” Still, the break-in served as another reminder that, despite advances in computer security, even the largest corporations remain vulnerable to computer attacks.

“The more visible the target, the more attractive it is to people who enjoy hacking and getting the recognition,” says Jamie Lewis, chief executive at Burton Group, an information technology advisory firm. “But the New York Times is no different than other organizations in that every organization has vulnerabilities.”

The total number of reported computer security incidents doubled in 2001, compared with the previous year, with more than 52,000 Web site attacks, viruses, network intrusions and other security breaches recorded by the Computer Emergency Response Team at Pittsburgh’s Carnegie Mellon University. And analysts predict the number of computer security incidents may double again this year.

There are plenty of methods for protecting computer networks and Web sites from break-ins. The tricky part is making sure the security measures are adequate for a particular system and making sure the system is safe from all potential hackers–even those within the company. “Inside hacking is by far the bigger problem and by far the more expensive for companies,” says Drake, who also co-authored the book “Security Provisioning-Managing Access in Extended Enterprises” due out later this month. Gartner Inc., a market-research firm in Stamford, Conn., estimates that more than 70 percent of unauthorized access to information systems is committed by employees, as are nearly all intrusions that result in significant financial losses.

Still, the majority of security incidents are usually the least destructive. Rich Mogull, research director at Gartner, says many incidents are the cyber-equivalent of petty vandalism. Another type of computer intrusion he calls “hacktivisim” is essentially cyber-vandalism but with a particular target. The more dangerous types of intrusions like cyber-crime, in which the goal is stealing money or sensitive information, and cyber-terrorism are the most dangerous, but also the rarest.

Chao-Hsien Chu, a Pennsylvania State University professor who recently released a study with Iowa State researchers on new methods of computer-security detection, says there are three layers to computer-security breaches. An outer layer, or “firewall,” tries to keep outsiders out and alert the company if there is an intrusion. Once there is a break-in, it becomes a question of access–in other words, how much damage an intruder can do. Finally, even if an intruder is able to gain access to a company’s private files or ethernet, what can they do with the information? “Intrusion detection has been a research topic for a long time, but it is very complicated, so people have focused on the different stages of intrusion detection,” says Chu. “Really, there is no single system that is good for every stage of an intrusion.”

The problem is not so much with the products, many of which can provide good protection for computer systems when used correctly. Rather, experts say many companies just don’t consider all the potential threats, or they don’t place enough of a priority on computer security–allocating more money to other areas of their business.

“What we see as the biggest problem with information security these days is the lack of integrated risk management,” says Mogull. “When projects are developed, security is usually just thrown on at the end, as an afterthought. Even if it is part of the planning, it’s relegated to a corner.”

That is changing. As the number of incidents increases, companies are beginning to allocate more resources towards fortifying their systems. “It’s not so much that companies have been slow to respond, it’s just that the problem is so big no one can fix it over a weekend–it’s like trying to put all your fingers in the holes in the dike. It doesn’t work,” says Lewis. “The ideal balance that you want to achieve is making the cost of breaking into the system as high, or higher, than the value you would get by breaking in.”

Sometimes even that’s not enough of a deterrent. Security experts warn that there is no foolproof system. “The only completely secure system is one that nobody at all can use,” says Lewis. And that’s not much use to anyone.