Real criminals are now in control of security threats, and brand reputation and market share are at risk.

The direct costs of malware were down in 2006, but hold off on cheering. The indirect costs — loss of brand reputation, market share, and such — likely are increasing as a result of the role criminal enterprises now play in all this.

Oh, and if that isn’t cheery enough, direct costs — things like labor to analyze and clean up infected systems, and loss of revenue due to loss of or degraded system performance — also were up for the first six months of 2007.

This year is on track to surpass last year’s direct-cost damage estimates, according to Computer Economics, which has published its 2007 Malware Report: The Economic Impact of Viruses, Spyware, Adware, Botnets, and Other Malicious Code.

The report finds that for the second year in a row, malware cost damages declined worldwide. In 2006, direct damages fell to $13.3 billion, from $14.2 billion in 2005, and $17.5 billion in 2004. But with indirect costs predicted to be rising, the respondents to the survey say they consider that the malware threat has gotten worse over the past year.

The downward trend in direct costs last year has another dark side.

“The direct costs are down because they’re not trying to wreak general havoc,” says Mark McManus, VP, IT Research at Computer Economics.

Not only is malware these days directed at a more targeted set of organizations, but some companies may not even have recognized attacks were underway. Unlike the malware exploits of the past, when young hackers’ aims were to be publicly recognized for causing widespread disruptions, today’s malware producers are typically criminal gangs engaged in stealing identities and money.

“Now it’s more targeted attacks, and more covert attacks. You don’t want it to be known you’re in the system if your intent is to make money,” says McManus.

And it’s getting more challenging for security vendors to keep up with the threats. The end of last year saw a rise in polymorphic malware attacks, which do very quick bursts of dozens of variants of the same virus in a short period of time, McManus says.

“That makes it very difficult to put a signature on it,” he says.

Anti-virus vendors are making strides by using heuristic techniques to try to determine what these variants have in common But it’s no easy task given what they’re up against. In the first half of this year as many as 1,000 variants of several different viruses hit within a week period, McManus says, carrying Trojans that unleash spyware, password sniffers, and other hazards.

It’s hard to find much positive news in this, but one very thin silver lining is that the activity is getting more companies to report incidents and cost damages to law enforcement, as well as cooperate with other organizations to fight cybercrime. Unfortunately, there haven’t been any big breaks resulting from this yet.

To help combat the problem, McManus says businesses increasingly are turning to security managed services for network audits or management. Companies are getting better at keeping up with new releases of anti-virus software, but they also can’t let down their guard on ensuring that employees are aware of the risks.

“The training issue still has to be there,” he says. “You tend to get lax if you haven’t been hit over the head in two or three years.”

It’s obvious that malware authors aren’t giving up, he says — and neither can you.