A new study shows that most large companies don't spend enough of their IT budgets on upgrading their security infrastructures - a situation that could lead to bigger problems in the face of government legislation and corporate mergers and acquisitions.

Nemertes Research last week released its "Effective Security Solutions" report, which says the average 2% to 3% of the overall IT budget that companies allocate for security will not adequately prepare most of them for government regulations, new applications and/or Web services architectures.

Johna Till Johnson, Nemertes Research president and chief research officer, and a Network World columnist, says spending 3% on security will allow for only the security basics at most large organizations. Nemertes' definition of security basics includes deploying firewalls and VPNs, and controlling the security perimeter.

"Everyone will say that security is essential, and no one will dare say it's not important, but they are still underspending on security," Johnson says.

Nemertes found that many companies in the past five years have made strides in designating security officers, staff and budget, but still fall short when it comes to funding new and necessary projects. She says companies must spend at least 5% of their overall IT budgets on security to incorporate the infrastructure upgrades and policy-based processes necessary to comply with government regulations passed in the past eight years or so.

The security requirements in legislation, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Financial Modernization Act of 1999, the Sarbanes-Oxley Act of 2002 and ongoing Department of Homeland Security initiatives, represent a significant concern for companies currently underspending, Johnson says.

HIPAA establishes national standards to ensure privacy in electronic healthcare transactions, and in light of all the accounting discrepancies in recent years, Sarbanes-Oxley requires that managers vouch for the internal controls their companies place over areas that include transactions, electronic information and communications. Sarbanes-Oxley will become a Securities and Exchange Commission rule. The Gramm-Leach-Bliley act broke down information-sharing barriers among U.S. banking, securities and insurance industries so as to provide various financial services to customers, but also requires many electronic financial privacy regulations be put in place.