5% - Hardware encryption, leased line, keys for hardware encryption and passwords delivered in seperate parts by different people after identity verification. No physical connections to gateway systems. (Federal Reserve, Chase Manhatten Bank...)
The unknown tier, many of them are banks where minimum security is a regulatory thing. It's a part of doing business. I'm not sure, that if left to their own devices, that they wouldn't join the majority in in their apathy.
We were actually suprised that the good banks are pretty tight and without real regulations that say exactly what to do. In technology reviews, we've been asked about Van Eck sniffing, encrypting data while in RAM, and some pretty impressive other stuff. Of course the bank is the one with the money at stake. What worries me, is my experience with corporate style IT management tells me they only get that paranoid after being burned a few times. Must have been some expensive lessons. --Mike--