Everyone knows black hat hackers are a growing menace who steal data and wreak havoc on computer networks. But who are they, exactly? Popular caricatures often depict a lonely misfit in a hoodie. The reality is less abstract—though just as scary.
As it turns out, hackers fit pretty neatly into the four boxes of people described below. That’s according to cybersecurity experts from Pricewaterhouse Coopers, who used an event in New York last week to explain the four types who might attack a computer network and what they’re seeking. The event was targeted at law firms, but the advice will be useful for almost any company with online assets.
Here’s a quick overview of who might be coming for your networks, plus what you should and should not do when the hackers get in.
Meet the Hackers
Hacking and data breaches are hardly new, of course, but their attacks are becoming more sophisticated. Meanwhile, as firms store evermore data online, their choice of targets become more appealing. Here are the culprits.
Nation States
These are hackers employed by military and intelligence units of foreign governments like China. In the past, their mission resembled that of spies—snooping around for state secrets. Today, they are just as likely to go after corporations in order to steal their intellectual property, and gain an economic or technological edge.
Organized Crime
Doug Bloom, one of the PWC presenters, is no stranger to the world of finance. But even he couldn’t keep up with some of the corporate valuation models he witnessed in online “dark net” forums where criminals convene to plot cyber attacks.
According to Bloom, the hackers in these forums come together in the same way professional thieves do to plan a bank job. They form a team, select a target, methodically plot the attack and then go their separate ways after the heist. The only difference is they don’t walk off with cash and gold. Instead, the prize is confidential corporate information—everything from an insurer’s underwriting information to a pharma firm’s drug applications—that can be sold to other criminals online.
Hacktivists
These guys probably come closest to the hooded hacker of popular imagination. They’re different from the other types of hackers in that their primary motivation is political rather than financial.
Hacktivists have targeted law firms that represent controversial clients such as Guantanamo detainees and corporate firms that take certain political or social positions. The harm they inflict can come in the form of embarrassing public leaks such as what befell Sony in late 2014.
Insiders
According to PWC, insiders may represent the most widespread and dangerous type of hacker. They are people already inside the organization who decide to obtain and exploit secret information for personal gain. A recent example include lawyers in New York who used confidential client data to make money on insider training.
Get Data Sheet, Fortune’s technology newsletter
What to Do Once the Hackers Are Inside
Company executives may be tempted to build their corporate firewall higher and higher in order to keep the hackers out. But the cyber experts argued such a strategy is impractical since too many barriers will keep clients out too.
“Defense is not a technical problem, it’s a business problem,” said James Fox of PWC, who has an MBA from Wharton. “You can build a wall as high as you want, but there still has to be a way through—and the most common way is through phones and emails.”
For more on cybersecurity, watch:
A determined group of hackers, he said, will eventually get in through stealth or trickery. When they do, companies should resist the temptation to blame it all on their IT staff since any breach is most likely the fault of some other employee.
Instead, the immediate task should be to avoid alerting the hackers to the fact that the company has discovered them. The reason is that once hackers are inside, they want to stay there as long as possible—just as companies work hard to keep a client, hackers have spent resources to break into a company and are inclined to stick around in search of more information. If they know the firm is on to them, they will bolt—but in many cases not before they install some ransomware as a parting gift.
As such, it’s better to back up or sequester valuable information before the hackers can destroy it or hold it for ransom. (Oh, and companies should also know the legal steps they must take if they do find about a breach.)
Finally, smaller companies, including law firms, shouldn’t try to create elaborate security schemes on their own. A much better solution is to use large cloud computer providers like Amazon or Microsoft that are much better at securing their systems, and that are able to store sensitive information across multiple servers.
(This story was amended at 11amET to add the phrase “black hat” hackers. It has also been corrected to reflect Jim Fox, not Doug Bloom, has an MBA from Wharton. An earlier sentence in this article also erroneously portrayed Chinese hackers as insiders; that sentence has been removed)
