The Deloitte & Touche annual survey of security practices at 169 financial institutions found that 98% of them are spending more on information security this year than last year, and putting a greater emphasis on IT governance.
Security spending is up as much as 15% over last year at 11% of the 169 corporations surveyed, which include banks, and investment and insurance companies from 32 countries.
According to the 2007 Global Security Survey, the biggest spending hikes were made in audit or certification costs, logical-access control products, infrastructure protection devices and compliance and risk management.
While 38% of the organisations surveyed did not measure their security budget on a per capita basis, of those that did, 7% said they spend more than $1,000 (£490) per person, 7% between $501 (£245) and $1,000 (£490) per person, 14% between $251 (£123) and $500 (£245), 23% between $100 (£49) and $250 (£122), and 11% under $100 (£49).
In a related trend, 81% of the financial institutions surveyed said they've adopted a formal Information Security Governance framework, up from about 70% last year. The vast majority of the remaining respondents said they are in the process of establishing one.
Deloitte & Touche said the higher adoption rate in formal Information Technology Governance frameworks – which detail lines of authority and reporting requirements, business processes, technology and security measures – appears due to the increased pressure of government regulation.
The technology executives who participated in the annual Deloitte security survey – 22% from Japan and the larger Asia-Pacific region, 12% from the United States, 23% from Latin America , 7% from Canada, 31% from Europe, the Middle East and Africa, and 5% from the former Soviet Republics – indicated that getting through internal and external audits can be tough wherever you are.
They report that the main audit obstacles are networks that still allow excessive access rights; lack of adequate audit trails/logging; and failure to assure access control complies with formal business procedures.
The 2007 Global Security Survey also asked the respondents questions about technology use.
One question pertained to whether organisations prohibit use of wireless technologies, including wireless LANs, infrared networking or mobile devices, due to security reasons.
Forty five percent of the respondents said their organisations prohibit use of wireless LANs, 75% prohibited infrared networking; and 13% prohibited mobile devices, including PDAs and BlackBerrys.
Those not prohibiting use of wireless sought to offer employees guidelines on secure use, published policies on acceptable business use or did implement wireless technologies.