Headline-grabbing breaches of computer networks mushroomed in 2015, from Ashley Madison (a dating site for adulterers) to American government databases. The bill rocketed, probably into the hundreds of billions—a huge wealth transfer from law-abiding victims to cyber-criminals. Most attacks depended on exploiting carelessness with simple trickery, not computer wizardry. The online criminal economy is evolving fast, with crime-as-a-service businesses offering customers technical support and profit-sharing schemes. Though the internet is fundamentally insecure, the means to foil most attacks are readily available: keep data encrypted, on well-designed networks, with access and connections carefully managed—and stay vigilant for anomalies. The biggest vulnerability for managers is people (“carbon-based errors”), not machines. In 2016 politicians, regulators, insurance companies, credit-rating agencies, shareholders, customers, suppliers and employees will demand more care from those entrusted with other people’s data. But change will come only after a lot more pain.