In the old days, a business worried about some desperate thief with a gun walking in and raiding the cash drawer. Today, there’s a much different — and much worse — threat.

Consider these statistics from Bloomberg Financial: Last year, the amount of cash stolen during old-fashioned bank heists totaled $43 million; the amount stolen via online theft, mainly from the accounts of small-to-midsize businesses, was about $1 billion.

And here’s the kicker: In most instances, the business had no recourse but to swallow the loss, because the banks in question insisted the hackers had penetrated the business’s system, not the bank’s. Since there’s no consumer-protection law that covers online banking against losses by theft, a business owner would have to go to court to prove the problem was caused by a crack in the bank’s cyber-security. You can imagine how much that would cost and how hard it would be to prove — which is exactly why smaller companies rarely even try to win such cases.

Note: Legislation to extend wire-fraud protection to small business accounts has been kicking around Congress, but the American Banking Association has mounted mighty opposition to the bill, for obvious reasons.

One rare win

One company, Experi-Metal, did win its case against Comerica Bank. Experi-Metal was hacked and its bank accounts were electronically looted, but there was one catch in the company’s favor: Experi-Metal’s IT people suspected hacking and informed Comerica to be on the lookout for suspicious action. After the theft, the bank refused to cover Experi-Metal’s losses. The company sued, arguing that, forewarned, the bank should have done more to prevent the theft.

What to do?

So how can smaller companies guard their accounts? Two possibilities:

• Take a cue from the Experi-Metal case. Make sure someone’s watching your system, and if there’s any suspected funny business, immediately let your bank know. That might not stop the hackers, but it will at least give you a legal argument that your bank holds some responsibility if there is theft.
• See if your bank or another one has “hacker insurance,” which covers you for theft losses suffered as a part of online banking.

In the wake of the Wikileaks exposure of secret government documents, the fallout has brought to light two big problems for organizational leaders: How safe and resilient are their own systems and what will their response be if attacked by folks who want to punish them for whatever wrong they perceive is the organization’s responsibility?

Wikileaks has become something of an icon for data security experts, primarily because of its ability to fend off DoS attacks in recent weeks. Now the organization’s fans are banding together to punish organizations that try to penalize the government documents-leaking group.

First the whistleblowing website showed its impressive agility in being able to keep operating despite attempts by many to shut it down. By quickly moving its website from Internet Service Providers in one country to ISPs in another, the site has continued to keep spewing forth secret and classified diplomatic messages for weeks now.

But then the group was attacked by sanctions supported by private business and financial institutions. Both Visa and MasterCard, which declined to process donations to Wikileaks, found their own servers under attack recently, and both suffered hours of downtime from the efforts of Wikileaks fans who belong to the Web vigilante group, “Anonymous.”

Anonymous has been fighting an ongoing crusade dubbed Operation Payback for the last several months, mostly in defense of folks who share copyrighted material. The group knocked off-line a number of pro-copyright websites, belonging to people and organizations that have been active in trying to stop such file sharing, like the U.S. Trademark Office and Gene Simmons, member of the rock band Kiss.

Now the loose affiliation of “hacktivists” has turned their attention to groups that oppose Wikileaks and its founder, Julian Assange.

Anonymous has offered its resources in the service of “payback” against some of the companies that have recently blocked WikiLeaks’ financial resources. PayPal was offline briefly recently, as was the website for the Swiss bank that recently froze Assange’s assets.

The problem here: Not many organizations have the tech know-how to defeat an organized group of savvy hackers. A few hours or days of having your servers taken down can have a huge impact on income for many companies caught in the middle of warring factions. What’s your plan for protection?

You can bet the more than 1.5 million members of Gawker Media have been thinking about that — since its database was hacked and data about its users’ personal info (e-mail addresses, passwords and usernames) was made public.

The passwords were encrypted, but 188,279 of them leaked out.

Gawker suffered public embarrassment, and the incident should serve as a learning experience for businesses and individuals that keep sensitive info on computer systems, and think it’s safe to bury that info behind basic usernames and passwords.

The first lesson: Don’t use numbers alone to create passwords.

Why? The No. 1 password among Gawker users was “123456.”

Suppose that one didn’t work, hackers could’ve tried “12345678″ (No. 3 on the Gawker list) or simply “password” (No. 2).

Other popular passwords on the list that you shouldn’t go anywhere near:

• abc123
• 111111
• 12345
• 1234567
• 1234
• 123123
• 654321, and
• 666666.

The list also contained a few surprises in terms of what passwords were popular, like:

• iloveyou
• sunshine
• letmein
• welcome
• whatever
• blahblah, and
• monkey (in the top 10).

Corrective action

In response to the hacking, Lifehacker.com (a site published by Gawker), has created a detailed FAQ about what you need to know and what you should do, if you think someone may have hacked into your accounts.

The site also offers guidance on creating a new password.

Have you — or your business — ever been victimized by a hacker? Help other readers by explaining what you did to rectify the situation.

When it comes to security training, however, IT tends to focus however, on staff-level employees, leaving the C-suite out of the picture.

Why? Mostly because these are busy people who may not feel they have time for something as time-consuming and tedious as protecting company data and information.

But here’s why it could pay to include execs in the company security plan, as laid out by security consultant Jayson Street in a recent Info World article:

1. They have access to the most sensitive data, which means hackers put a lot of effort into targeting them specifically.
2. They use the latest technology. Execs are often the ones in the company that get their pick of computing devices. After all, they’re the ones with the clout and the need to stay connected 24/7. But using newer, non-standard devices also means they’re the most susceptible to hackers.
3. They expect to be protected. Execs know they’re important, so they often assume their equipment is kept more secure than other people’s.
4. They expect to be exempt from the rules – not all of them, but some. Security controls are often an inconvenience, and some execs feel they’re in place for the folks who work under them, but not for themselves.

If you’re a top level manager or executive suite dweller, make sure you check in with your IT group to be sure that you’ve got the latest in security tools for your computer and other high tech gadgets. Ask for a private lesson or join one with “the troops.” It’ll be a good team building exercise and send the message that IT security is chould be everybody’s concern.

After preying on larger firms for years, many hackers are taking aim at small to midsize businesses.

Why now? Because the majority of larger companies have finally heeded IT warnings and beefed up their security systems — and many smaller firms have yet to follow suit.

The result: Hackers would rather go after a smaller business with weaker security than a larger one with airtight protection.

But the majority of smaller companies are still in the dark about this growing threat. According to a survey by Chris Gray, the director of innovation policy at the Canadian Chamber of Commerce, almost two-thirds of small and medium-sized businesses believe large businesses are still the main target of cybercrime.

In addition, the annual Visa Security Summit in Washington, D.C., cited this industry research about small businesses’ vulnerability to threats:

• 66% have no security plan in place
• 60% have no encryption on wireless links, and
• 20% of small businesses don’t use antivirus software.

Now’s a good time to huddle with IT or bring in an outside consultant to find out how secure your firm is.

Experts also recommend small businesses rely more heavily on banks and third-party security services to deal with their credit-card processes. The reason: Small businesses won’t have to hand over large amounts of credit-card data.