The barrage of cyber-attacks against U.S. companies continued in 2015. Some were spectacularly successful, costing the victimized companies—as well as their workers and customers—millions.

Americans can expect more of the same in 2016. The bad guys still want to steal commercial secrets, as well as your Social Security numbers, birth dates, home addresses, financial records, medical records, and security credentials—anything they can use or sell.

In 2015, health care providers such as Anthem, Premera Blue Cross, CareFirst, UCLA Health, and Excellus were compromised. Financial institutions such as Morgan Stanley, Experian, and Scottrade were also victims. Hackers targeted banks across the globe in search of financial gains; meanwhile, day traders hired hackers abroad to steal proprietary information in an attempt to gain an edge on the stock market.

The Ponemon Institute surveyed 58 companies and found that cyber-attacks had cost companies an average of $15.4 million in 2015, an amount 20 percent higher than the year before.

Universities and educational sites were targeted more frequently this year than before. Penn State identified a breach that had been open for almost two years. The University of Virginia; Rutgers University; and a number of testing sites in Florida, Minnesota, and California were also victims of cyber-attacks. Overall, Ponemon reports, fighting cybercrime cost institutions in the education and research sector an average of $11.4 million in 2015.

The number of Internet users continues to increase, and with the number of mobile phones and other portable devices and wearables increasing, the number of cyber-attacks is expected to rise. However, we may see some changes in future attacks and how some of the personal information acquired may be used.

Cyber-security firm McAfee Labs recently reported that cyber-attacks on payment systems and cloud services will either hold steady or increase. They also noted a significant increase in ransomware attacks, where hackers effectively take control of an electronic device until the victim pays a price. Such attacks can be a matter of life and death when aimed at medical devices such as insulin pumps and pacemakers.

The Internet Crime Complaint Center has warned law enforcement and public officials about cyber-thieves stealing and publishing their personal information. The same can be said for anyone whom cyber-actors seek to intimidate, humiliate, or extort.

That being said, policymakers should avoid knee-jerk cyber-security regulations as new attack patterns come to light. Setting standards, while admirable, would create complacency among large companies and turn them off pursuing self-medicated—and potentially more effective—security measures. Small and medium-sized companies can’t always reasonably afford to meet optimum standards, let alone comply with a slew of regulations. Even federal agencies have trouble meeting cyber and information security measures like those proposed by the Government Accountability Office.

But, unfettered by static and obsolete-as-soon-as they’re-enacted regulations, companies often can address malicious threats much quicker and much more effectively.

Policymakers should continue to seek international partnerships and promote information sharing among government agencies and private companies. While neither is a silver bullet for stopping cyber-threats, they’re valuable tools that shouldn’t be ignored. Similar industries inside and outside the U.S. may face the same type of cyber-threat; cooperatively preparing for future breaches will benefit both national and global security.

Finally, industry and government need to have a serious conversation about how to deal more effectively with new and growing cyber-attacks—especially over how companies might be allowed to fight back. The private sector can do much more to defend itself. Congress should think about how far companies should be allowed to go in fighting cyber-criminals.

Policymakers can help fight cyber-crime, but passing rigid regulations isn’t the answer. That approach simply stifles innovation in the name of security. Successful defense against a constantly evolving cyber-threat requires nimbleness, flexibility, creativity, and plenty of information sharing among the good guys.

Originally published in The Washington Times.