In a country divided by the upcoming election, President Obama garnered bipartisan support for a significant budget increase this week: $5 billion in additional cyber security spending. The one-third increase — to $19 billion in 2017 — marks an initiative from our country’s highest office to crack down on cyber threats — which are, in Obama’s words, “among the most urgent dangers to America’s economic and national security.” A similar attitude prevails on the global stage: The World Economic Forum named cyber attacks one of the greatest threats to business, above terrorist attacks and interstate conflict.

The escalated attention to cyber defense couldn’t come sooner, as government organizations and businesses struggle to prevent some of the most dangerous types of attacks.

In the 21st century, hackers are the bank robbers and data is the hostage.

Imagine thieves stealing your company’s computers, demanding money for their return and putting them through a trash compactor if you decline. This nightmare is frighteningly close to the reality of cyber ransom. Victims rarely have any alternative besides giving in to hackers’ demands. Unfortunately, cyber ransom is one of the more prevalent and lucrative forms of criminal hacking to threaten companies today.

In the increasingly monetized world of hacking, no target is safe from criminals holding important files hostage for ransom. One variation of this service, “ransomware,” functions as a malware that encrypts files on a computer, preventing the owner from accessing them to extort payment. Security professionals have not cracked the code on preventing ransomware attacks: Experts detected four million samples in the second half of 2015, up from 1.5 million two years ago.

The size and scale of the attacks reflect a new audacity on the part of perpetrators. In the past year, hackers have carried out ransom attacks on a British telecom provider, Greek banks, and a United Arab Emirates bank. In this last case, the bank refused to negotiate, and the hacker publicly posted the sensitive information of nearly one million customers in response. In the 21st century, hackers are the bank robbers and data is the hostage.

To negotiate with hackers?

Contrary to the philosophy of not negotiating with terrorists for fear of incentivizing future incidents, the FBI has actually recommended that victims pay ransoms in certain scenarios. While critics claim this strategy only validates the method as a financially viable solution for hackers, victims and law enforcement alike are essentially helpless. The economic argument for dissuading future ransoms doesn’t compel companies faced with losing access to critical information.

Realizing that their organization’s reputation would be on the line, 24.6 percent of IT departments reported that they would pay a ransom to prevent a data breach.

What do the security professionals on the front lines think? The grim stories of past victims certainly inform the reactions of security professionals when asked whether they would pay a ransom. Realizing that their organization’s reputation would be on the line, 24.6 percent of IT departments reported that they would pay a ransom to prevent a data breach. We’re not talking about trivial sums, either: 14 percent would pay more than one million dollars. This amount isn’t surprising when you consider the enormous financial damage a company suffers in the wake of a breach. Costs soar beyond tangible expenses from damage to a brand’s reputation. The average cost of a breach rose to $3.8 million in 2015, not to mention potentially the jobs of the security staff involved.

Rising price tags drive accountability for breaches

Are we at such a desperate state of cyber security where we’re just waiting to pay ransom for the next breach? Consumers have grown weary — 63 percent expect their data to be compromised in the next 12 months. It’s difficult not to ask the question, “Is something wrong with the way we protect information?”

It’s more expensive to be hacked than ever before — the average cost of a breach rose to $3.8 million in 2015.

While consensus places responsibility for cyber security with the CEO and board of directors, there is a huge gap between words and action. A global study of 109 banks found that only 6 percent of board members have technology experience, and 40 percent of the banks do not have any board members with a technical background. Lack of oversight at the top is a recipe for disaster, resulting in failure to properly enforce corporate governance. Companies may put off upgrading cyber defenses because of the cost, only to find that they underestimated the financial impact of a data breach.

Cyber security is embedded in a web of financial incentives, but the increasing costs of failure, i.e., suffering a data breach, indicate that companies will be held increasingly accountable for protecting data. For example, whether or not a company has cyber insurance in place factors into the decision to pay ransom. Companies with cyber insurance are more willing to pay up. Cyber insurance costs are rising, however, with certain companies even evaluated as uninsurable. In the same trend, the European Union introduced new regulations on protecting customer data — with more teeth than ever before. The maximum fine increased to €100 million or 5 percent of global revenue, whichever is higher. Combined with the increased average cost of a breach, it looks like it’s more expensive to be hacked than ever before.

Outgunned and outmatched?

Simply throwing more money at security does not appear to be the solution, however, as last year marked an increase in security budgets and breaches. Criminal hacking has transformed from solo hackers into a true industry with organized syndicates. These groups have the advantage of innovative, state-of-the-art tools. Are companies doomed to fall behind hackers in a cyber arms race?

An entire collaborative ecosystem has developed to support the hacking economy. There are sleek applications to automate stolen credit card credentials, and researchers even uncovered a ransomware-as-a-service (RaaS?) offering. Hackers regularly leverage free consumer cloud services in attacks against companies with security budgets in the millions of dollars.

An entire collaborative ecosystem has developed to support the hacking economy.

A paradigm shift favoring the good guys may lie in a parallel climate of innovation on the enterprise side: The consumerization of IT. The federal Office of Personnel Management, after suffering a blockbuster data breach, bemoaned the weak security capabilities of the outdated technology in place. Cloud services are disrupting legacy tech vendors, and not just because the applications are easier to use for employees. A majority of companies — 64.9 percent — now consider cloud services as equally or more secure than traditional legacy software. Many cloud service providers are innovative, venture-backed startups employing some of the best talent in the world. Security is their bread and butter, since their entire business model depends on not getting hacked. Leveraging the latest and greatest cloud applications gives companies the firepower to keep up with hackers.

An industry analogy compares cyber security to running away from a bear in the forest: You don’t need to be faster than the bear; you just can’t be the slowest person running away. The use of emerging technologies for IT and security is now a competitive differentiator. To bring light to the end of the cyber security tunnel, companies need to open the door to new technologies.

Rajiv Gupta is a co-founder and CEO of Skyhigh Networks, a cloud security and enablement company. He has more than 20 years of successful enterprise software and security experience, and is widely recognized as a pioneer of Web services. Reach him @trustedmind.

This article originally appeared on Recode.net.

Anyone in the U.S. who has seen a health care provider in the last two decades is familiar with the data privacy requirements of the Health Insurance Portability and Accountability Act, better known as HIPAA. Every patient is asked to read a privacy statement and sign a form to acknowledge understanding that statement.

Health care workers are schooled on the intricacies of the law, so it’s a bit of a surprise that workforce members of St. Elizabeth’s Medical Center (SEMC), a hospital in Brighton, Mass., used an Internet-based file sharing service to store documents that contained electronic health records of 498 individuals without first assessing the risks associated with the use of the service. As the result of the HIPAA violation, SEMC agreed to pay $218,400 to the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR), and SEMC must comply with the terms of a Corrective Action Plan (CAP).

Software applications delivered via the Internet, commonly known as cloud computing, are transforming how businesses operate. Studies from Vanson Bourne have shown that businesses taking advantage of productivity-enhancing cloud services grow 19.6 percent faster than their counterparts that don’t. That kind of growth is luring more companies to the cloud.

The ready availability of more than 16,000 cloud applications empowers individual workers, work groups and entire business departments to engage directly with service providers to set up the applications they need in hours, or even minutes. While the rapid road to productivity that cloud computing offers is a positive development, it also opens up areas of risk, especially when applications are deployed without the support or knowledge of the IT department. This is a costly lesson that was learned firsthand by the staffers of St. Elizabeth’s Medical Center.

Skyhigh Networks’ analysis of actual usage shows that the average organization now uses 1,154 cloud services — a number that has more than doubled in just two years. New cloud services are launched every week, offering innovative features and capabilities that entice workers to try them. On the plus side, organizations have never had more cloud apps to choose from that provide robust levels of security for enterprise data. Nevertheless, workers opt to use less secure consumer-grade cloud services for business purposes 27 percent of the time.

In recent years, the role of the IT department has shifted away from being an organization’s sole source of all computing resources and information services to being more of a consultative partner to help business departments evaluate and select appropriate cloud-based services. A primary concern is the security of corporate data going into various cloud apps. Business departments and their IT counterparts have a shared responsibility to ensure that data is protected with measures that meet or exceed corporate policies.

Risky behavior: When sharing is erring

Among the most frequently used types of cloud applications are collaboration and file-sharing services. Many originated as a means to synchronize files across devices, but now they commonly offer the ability to share files with colleagues and business partners and to allow users to edit the same file in real time. The average company uploads 5.6 terabytes of data to file sharing services every month. To put that in perspective, 5.6 terabytes is roughly 480 million pages of Microsoft Word documents. Every month.

It’s not so much the volume of shared data that’s a concern, but the nature of the data and how it’s protected. Around 15 percent of all documents uploaded to cloud-based file sharing services contain sensitive information such as confidential company data, personally identifiable information, payment data or protected health information. These classifications of data need strong security measures to protect against theft, corruption or loss.

Some, but not all, cloud services inherently provide enterprise-grade data protection features, including encryption, tokenization and data-loss prevention. It’s the responsibility of the party engaging with these services to ensure that the data security measures are completely in line with corporate standards. For example, a cloud service might provide data encryption, but the encryption keys are held by the service provider. This is inadequate as a corporate security measure, in that whoever has access to the keys can also have access to data in the clear; in this case, it’s the service provider. Most enterprises have policies that prohibit this scenario.

Another concern about the use of file-sharing and collaboration services is who the files are shared with. Skyhigh Networks has observed that 28 percent of documents that are shared via a service are provided to external business partners. Of the shared files, 5 percent are accessible by anyone with access to the appropriate link. These links are easily forwarded and can create risk, since the organization cannot audit or control who is accessing the document. Of further concern, 2.7 percent of these files are actually publicly accessible and indexed by Google. Imagine confidential business development plans, meant exclusively for the use of a business partner, being readily available to anyone using Google’s search engine.

When attackers act like insiders: Compromised accounts

Data thieves are taking notice as organizations put more and more sensitive information into cloud applications. Compromised credentials for SaaS applications can make it easy for an external actor to gain access to these critical business applications and, for all intents and purposes, appear to be the legitimate user. How are account credentials compromised? Largely through phishing attacks and database hacks. Skyhigh research has shown that 92 percent of companies have cloud credentials for sale on the Darknet. Three out of four organizations have at least one compromised account each month.

A highly popular cloud storage service had a breach in 2012 in which users’ accounts were easily accessed. The attackers used account information and passwords that were stolen from other websites to gain access to the storage accounts. The damage could have been lessened if users hadn’t reused their credentials from other websites, but it also shows that multifactor authentication (MFA) could have been a good deterrent in the attack. MFA requires a second form of authentication, such as entering a code that is sent out-of-band via text message, email or phone. Using MFA is a best practice for all applications, but certainly for cloud applications that sit outside a corporate firewall.

Shared responsibilities

IT departments don’t want to stand in the way of business workers’ productivity. If cloud-based applications are needed to support business processes, that’s fine, but engaging those services should be a shared effort between the lines of business and IT. The business departments own the data going into the cloud, but IT personnel have a duty to help secure it. IT can help workers and departments assess and select enterprise-ready cloud apps and verify that adequate controls are in place to help assure data security, governance and compliance. Less data security should never be a trade-off for the convenience of using cloud-based applications.

No organization wants to be the next data-breach news headline, and all employees have a responsibility to protect their company’s data assets, regardless of where they are.

Rajiv Gupta is a co-founder and CEO of Skyhigh Networks, a cloud security and enablement company. He has more than 20 years of successful enterprise software and security experience, and is widely recognized as a pioneer of Web services. Reach him @trustedmind.

This article originally appeared on Recode.net.