Update: Infosecurity showgoers place law above technology

LONDON -- Information security isn't as much about technology anymore as it is about legislation and law enforcement. That was the view of some experts and attendees at the Infosecurity Europe show in London on Tuesday, where technology vendors rubbed shoulders with law enforcement experts on the show floor.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

"Information security has turned into an arena for organized crime," said Stuart Okin, an associate partner at technology consulting firm Accenture.

Okin pointed to the recent surge in phishing and spyware attacks which have taken center stage over virus outbreaks. The cost of e-crime on U.K. businesses alone is estimated to be £2.4 billion ($4.6 billion) a year, he said.

Many of the IT security problems companies face are due to their own lack of internal preparation such as educating staff and putting security procedures in place, experts said.

"What is being exploited is poor security policy far more than expensive technology," said Chris Simpson, a detective inspector with the U.K.'s Metropolitan Police Computer Crime Unit.

Knowing how to internally deal with security issues, by giving staff information on how to properly report an e-crime and preserve evidence from an attack, is especially important given that Internet users are losing control of their actual computers, experts said.

This is due to the rising number of "botnets." Botnets are malicious software programs that run on infected machines without the owner's knowledge. They are controlled by hackers and can be used to launch DoS (denial-of-service) attacks or perform other nefarious deeds.

Botnet collections are increasingly being used by organized crime, according to experts at the show. These gangs trade botnets -- sometimes 50,000 to 70,000 at a time -- to commit crimes such as extortion. The gangs threaten to take down a company's Web site with a DoS attack unless the company pays up, according to Robin Urry, from the European Union's Joint Research Center, a scientific and technical research lab.

"The disturbing trend we've seen in the last year is an increase in botnets and more activity from Russia's organized crime gangs," Urry said.

But while outside threats seem to be mounting, around 90 percent of companies' IT budgets are still dedicated to maintaining existing infrastructure, Okin said. This is one reason why it's important for international law enforcement agencies to cooperate on tracking down cyber criminals. It's also essential for governments to develop policies and penalties that are in sync across borders, leaving criminals with nowhere to hide, experts said.

At least one show attendee, Peter Watts, information security manager for IBM U.K., agreed that information security is a legislative and law enforcement problem, rather than just a technology issue.

"I want to see more cooperation on data privacy and policy," Watts said. "There's too much technology at this show."

Over 300 exhibitors have shown up for Infosecurity this year, to launch 120 new products. Ten thousand attendees are expected, and hundreds waited outside in the drizzling rain on Tuesday.

For some of them, though, security is still about technology.

Barry Hood, a security consultant for Electronic Data Systems, said security has always been about people: knowing who has access, what their routines are, and what information they need. These are things that legislation cannot cover, he said.

Hood said that he was at the show looking for new smart card technology that could link information control with identity.

Experts speaking at the show did not dismiss the power of security technology, but emphasized that companies need to dedicate just as much money and time to making sure that internal policies and safeguards are in place as they spend on securing IT.

Social engineering is key, according to Michael Colao, global head of IT security at Dresdner Kleinwort Wasserstein.

"When you ask companies what is more threatening -- a mythical group of highly trained Russian cyber criminals or an internal vulnerability, they'll probably say the internal threat. But then they do nothing about it," he said.

Infosecurity runs through Thursday at London Olympia.