Compliance driving security spend

The threat of impending legal action is encouraging companies to open up their wallets and spend money on security software that will ensure they are compliant with new legislation, according to attendees at the Infosecurity show in London.

In the wake of scandals such as Enron, corporate-compliance legislation such as Basel II and Sarbanes Oxley was drafted to ensure that companies get their houses in order. Unsurprisingly, the proper treatment and protection of electronic data is central to these new measures as auditing and archiving become paramount.

At the heart of the technology issues where compliance is concerned is instant messaging (IM).

IM is a common trading tool for bankers and traders and yet the standard applications used are far from compliant.

According to Kailash Ambwani, CEO of secure IM provider FaceTime: "IM is mission critical to these guys, but they don't normally have in place the necessary security, accountability, logging or archiving to make those IM sessions compliant."

As such once an IM window is closed and a machine shut down, deals that are worth thousands or sometimes millions of pounds are reduced to little more than 'our word against yours' – and in the case of another Enron-style accounting debacle, such arguments would not stand up in court.

Similarly, compliance rules could be breached, such as insider dealing. Ambwani cited the situation in the US where traders are forbidden from talking to other traders, but on IM, where users can easily go by a pseudonym, there are no measures in place to ensure this isn't happening.

However, companies are now realising the need to embrace compliance.

"The early adopters did it 18 months ago," said Ambwani. "But many companies are now only just thinking about compliance."

And Ian Schenkel, managing director of firewall firm Sygate, believes many will get caught with their pants down. He said: "There are very few companies out there who are prepared for this or for the enormity of the challenge."

Ambwani attributes much of this to "denial" on the part of companies who have lost control of their networks. Schenkel is less forgiving, putting it down to "ignorance".