When business faces a great big new tax or an impending economic meltdown, boards and CEOs fire up lobby groups and scramble for advice to ensure their survival. Why isn't that happening with the ever-growing threat of cybercrime?

Is the risk too abstract? Have we cried wolf too long? Are Australian business managers simply ignorant and behind the pace? All three?

"Our citizens are becoming increasingly desensitised," said David Sykes, head of government relations for security vendor McAfee Australia, at the third annual eCrime Symposium in Canberra this week.

"Our consumer sales used to spike every time we had a Nimda and a Code Red," he said, referring to two of the most virulent worms that plagued the internet a decade ago.

"That impact has completely died out now. You have a major [data] breach and it hits the news for a little while, and then it fades away like a digital fart within a few days."

Indeed, when Sony's PlayStation Network suffered one of history's biggest data breaches in April, with 77 million customer records stolen, users just complained that they couldn't play. Unisys was pimping a survey this week, claiming almost 9 in 10 Australians reckon they'd close their accounts if organisations compromised their data. In reality, they don't.

The eCrime Symposium, founded by former Australian Federal Police officers Alastair MacGibbon and Nigel Phair, is a relaxed, intimate event, peaking at around 70 attendees. Many know each other well. Perhaps that's why they feel free to voice their frustrations.

"The bad guys are better at capitalism than what we are," said Peter Coronoes, who recently finished a 13-year stint as head of the Internet Industry Association.

"They've actually created a commercial model out of this cybercrime, and they have none of the strictures that govern our response."

John Lawler, chief executive officer of the Australian Crime Commission, echoed those thoughts. "The good guys have to abide by the rules," he said. "The criminals have got no rules, no morals. They'll just trash anybody and everybody to make money."

Lawler said that trying to prosecute the vast numbers of offenders, with myriad cross-jurisdictional issues and the difficulty of gathering digital evidence, is doomed to fail.

"I think the game we're in now is about disruption and prevention," he said.

"I think it is absolutely essential for governments, for businesses, for the individual, to have the proper controls in place to prevent, or to harden the environment against, the cyber attack...  That message hasn't, I think, permeated — certainly in business — to the extent and level it needs to."

Andrew Bycroft, lead security architect at Earthwave, runs education sessions for C-level business managers as part of his company's security outsourcing service. "It's actually a very painful process because they simply don't understand security," he said.

Bycroft resorts to simple metaphors, such as a house, to teach the prevent-detect-respond cycle of Security 101. Prevention -- locks on the doors and windows to keep out the bad guys -- will only work if the detection and response parts exist too. Alarms to detect when the window is smashed, and a response procedure to call the police.  

How Bycroft gets from there to, say, chain-of-custody issues in digital forensics doesn't bear thinking about.

As Sykes noted, "There is a lot of misunderstanding at the board level."

Management cluelessness is reflected in the ease with which criminals can break in.

Nick Klein's firm Klein & Co has conducted around 60 data breach investigations -- that is, figuring out how the hackers got in and what they did -- in the last two years. Almost all the victims small and medium businesses.

"Most of the targets are low-hanging fruit," Klein said. "When you go through their logs and gather the evidence, it's the electronic equivalent of a ram raid. You can see exactly where they've got in... The logs are lit up like a Christmas tree and they've stolen the data and they've got out of there without even bothering to cover their tracks."

And what's worse, only seven per cent of these companies discovered the data breach on their own. The other 93 per cent were told they were compromised. Usually they'd been hacked and losing their data for weeks or months.

Yet none of these stories are new. Every business has surely heard them or their like before. So why don't they perceive the risk and do something about it?