IT leaders, government officials, security vendors and analysts at the recent Infosecurity Europe event heard that firms are facing growing threats to their systems.

Delegates were told that the number of malicious attacks has been rising, and is expected to grow further over the next year.

The DTI published its Information Security Breaches Survey 2004, with figures that indicate many firms are still not giving security the attention and resources it deserves. Over half of firms spent just one percent or less of their IT budgets on security last year; and very few were taking steps to estimate the value of their security expenditure.

Security standards and certifications were widely ignored, despite being promoted by the government and security vendors. Almost two thirds of large UK organisations were unaware of the contents of the British security standard, BS7799. And three quarters of those responsible for IT security in large enterprises did not have any formal security qualifications.

Firms were advised not to assume that developers of software and systems would provide safe products free from vulnerabilities. "Security is an afterthought as it always has been and always will continue to be," warned Fred Cohen, principal analyst at research firm Burton Group. "Application and operating system security is the root problem. Developers are just not doing their jobs well and convenience is still winning out over security in many cases."

Stephen Timms, minister of state for e-commerce, added, "Information security problems are a routine part of everyday business life. All of us have to roll up our sleeves and deal with them."

Spam, though traditionally not viewed as an IT security issue, was high on the show's agenda. "Spam and viruses are converging, and are becoming one and the same attacks," said Cohen.

Delegates were told that spam is unlikely to be stopped by European and US anti-spam laws. Email security firm MessageLabs said that new laws had not reduced the amount of spam sent and could in fact be making matters worse.

MessageLabs' chief technology officer, Mark Sunner, said the US Can Spam law and the EU Privacy and Electronic Communications Directive had created confusion and gave companies a false sense of security. "These laws are probably creating more problems than they are solving," he argued. "We can show the legislation is not working because we have collated the data and are seeing the growth rates in spam since they were introduced."

Sunner argued that the Can Spam Act has a major shortcoming. "It assumes spammers are scrupulous and will abide by the law," he said. "The EU directive is confused and is being interpreted in different ways by each member state."

Jean-Jacques Sahel, deputy head of e-communications policy at the DTI, said harmonisation of global anti-spam legislation was needed, but he defended the EU privacy law. "There are slight differences in national laws [in EU member states] but overall the directive is quite solid in the way it is implemented across the EU," he said.

Sahel said that the DTI would put information on its web site by the end of May to show how countries were interpreting and implementing the directive.

Sunner added that ISPs could do more to protect end users. "If the water that came out of your taps was filthy and you had to filter it you wouldn't be very happy," Sunner said. "ISPs are basically giving us the equivalent of sewage. If they installed protection at the internet gateway this problem could virtually disappear."