It is an astonishing fact that most of us are victims of attempted theft every week. It is even more shocking that few of us bother to report it.
Individuals and small businesses (probably large ones too) are pestered with phishing emails inviting them to disclose banking/credit card details or other information that could enable identity theft or other fraud. What do we do? I suspect that most of us just delete the suspicious email, feeling a bit smug that we're too worldly wise to be caught by that 'old chestnut' (of course it isn't that old but it's become so prevalent that it seems to have been around forever).
I suspect too that large organisations (apart from financial institutions that have a vested interest in that they may have to compensate clients for losses from identity theft) don't do that much reporting and tracking back either when they see possible incidents of external IT fraud and attack. Of course, spam filters are great in blocking possibly fraudulent emails. But they act in fact as a shelter for the perpetrators who know that organisations that might actually have the resources to pursue them or the willingness to report them won't even know of their existence.
The focus is more on prevention than cure - in this case, the 'cure' being the tracking of offenders and their prosecution. And that has to be wrong. Big or small, we're all encouraging criminals who know that the worst punishment they're likely to receive is having their site - which they've been clever enough to set up so that it can't be traceable back to them - shut down.
It seems that at last some action may be taken in the UK. In August, the House of Lords science and technology committee released a new report calling for a major overhaul of current UK internet security practices. Recommendations include: introducing a central web-based e-crime reporting system; creating security breach notification laws (so that clients know when their personal information has been exposed), and the potential for IT security vendors to be held liable for security breaches.
If every week you or one of your company's customers was subjected to an attempt to mug them - even if no physical violence was involved - you'd feel threatened and impelled to act. So why let the web muggers get away with it?