How many IT directors were last week asked by their chief executives, following reports of the £220m attempted cybercrime raid on a Japanese bank in London: 'This couldn't happen to us. Could it?'

There can be no underestimating the intent or scale of threat now posed by organised crime gangs looking to crack companies' electronic codes instead of their safe combinations.

Research this week from Symantec suggests that more than half of all viruses and malicious code are designed for stealing money or sensitive information such as identity details. There are still plenty of geeky kids writing viruses in their bedrooms for a laugh, but some are growing up and turning professional.

But it should be noted that there is a good news angle to the Sumitomo Mitsui bank raid: it failed. Thanks to the early involvement of the National Hi-Tech Crime Unit (NHTCU), the police foiled the heist. Although no one from the bank or the NHTCU is commenting, the positive publicity - and the very public demonstration of the benefits of firms working with the authorities - is a huge boost to their activities.

Undoubtedly the bank will have taken the correct precautionary measures recommended by security experts. Anti-virus, anti-spyware, firewalls or intrusion detection systems will have been instrumental in detecting the presence of the threat.

But it should not be forgotten that this type of crime frequently involves the use of an insider to install the key-logging software used to gather passwords and access company systems. Crime still depends on human factors as much as modern electronic

methods, and IT directors need to work closely with physical security managers to ensure effective measures are in place.

The answer to the question: 'Could it happen to us?' is easy. Of course it could, and companies have to plan with the expectation of being targeted.

But the lesson is that, these days, best practice in IT security is essential practice.