With a spate of security breaches topping the headlines this month, identity theft is also topping the minds of businesses and CIOs as criminals hack into corporate networks to steal and use personal information that invades individuals’ privacy and costs companies and individuals billions of dollars each year.

Identity theft is booming and the cost of neglecting security and continuity can be catastrophic. According to a Computer Security Institute report, the average U.S. business between 1997 and 2003 lost $199,900 because of computer viruses. More than 9.9 million Americans were victims of identity theft last year, a crime that cost roughly $5 billion dollars, says a US Post Office report. The damage to a company's brand and shareholder confidence can be significant.

Much of the time, IT departments are too stretched to devote the resources to keeping up with hackers -- let alone get ahead of them by designing systems that are so sophisticated the thieves can't get in. However, organizations spend too much time reacting to security breaches, rather than preventing them from happening. The most effective deterrent to identity theft is making an organization's IT architecture so airtight that thieves decide it's not worth it.

After all, there is fundamentally nothing new about identity theft, which amounts to exploiting holes in existing technology. Instead of rifling trash bins for credit card receipts and wiretapping phones, today's thieves steal data using a mouse and keyboard, and sell to the highest bidder on the street. The hackers are also often recruited by thugs to steal information.

It follows that organizations need to get more serious about fighting this growing menace. Most important, they need to replace the patchwork of security systems currently in place with an overall security architecture that plugs the holes inside and outside the enterprise, makes sure the right people have access to the systems, applications and data they need, and keeps everybody else out.

Here is a plan of attack to get ahead of the identity thieves:

1. Design a solid security policy. Good security management starts with putting on paper a written Security Policy that outlines all of the firm’s objectives, standards, and compliance requirements for information security. This document can also be used by management as a tool for rallying the organization around the firm’s security principles. Template policies can be found on the Web to avoid “recreating the wheel.”