The nationwide survey shows that 61% endorse the business case argument that security provides value for their companies and a positive return on investment, but 39% say that security is simply a cost that must be tightly controlled. Strongest support for security spending is in the so-called "critical "ndustries"--transportation, energy and utilities, financial services, media and telecommunications, IT, and health care. Increases in security spending are lowest among the smallest companies.
Most surveyed companies, however, report little increase in security spending since Sept. 11, 2001. In fact, 45% say they haven't increased their spending since the terrorist attacks in 2001--and 1% say they have actually cut back on security spending.
"The most alarming finding is that only 28% of midmarket companies have an off-site center for emergency operations. This suggests that many smaller American firms would have difficulty conducting their business in the event of a prolonged power outage or closure of their primary facility," says Tom Cavanagh, the Conference Board's corporate security expert and author of the report. "Given the vital role played by smaller companies in the U.S. economy, the economic impact could be quite severe should we suffer another 9-11 type attack in heavily populated areas."
Approximately 21% of CEOs report that they meet with their top security officer at least weekly, and an additional 25% meet at least monthly. But 28% meet with their security directors only a few times a year, and 26% report that they have never met with the security chief at any time during the previous year.
Access of security officers to their CEO has a direct impact on security spending. Three-quarters of the companies that hold weekly security meetings with top executives report an increase in security spending since 9-11, compared with only 30% of those firms where the CEO never meets. In companies with senior-level security meetings at least once a month, at least 30% report an increase in spending of 10% or more, compared with 19% of companies with occasional senior-level meetings and 9% of companies where the chief executive and security director never meet.
The Conference Board study finds that the smaller the company, the less likely its board of directors is to establish written security guidelines, and the less likely the company has procedures in place to handle security problems.
By comparison, 71% of larger midmarket companies have board-approved written guidelines on disaster recovery and business continuity, compared with 43% of smaller companies. Only about one-third of midmarket companies, regardless of size, report that the board has approved written policies dealing with routine security issues.
Nearly 80% of companies surveyed report a disruption in business travel due to the terror attacks in September 2001, and 47% report a drop in revenue. This trend was found in all major regions of the country.
In the nation as a whole, 16% of businesses report that they closed operations as a result of the August 6, 2003, power outage, the same as during the terror attacks. In some respects, the blackout had a greater impact on company operations. As a result of the blackout, 22% of companies lost electric power, 18% lost telephone service, and 17% lost Internet access. These percentages are all in the low single digits for 9-11.
The most significant differences are seen in the disruption of business travel (71% from 9-11 vs. 21% in the blackout) and a drop in revenue (47% vs. 13%). These problems account for the severity of the impact of the terror strikes. CEOs consider these economic impacts even more important than the temporary loss of networked services. The report concludes that future assessment of corporate vulnerabilities should bear such findings in mind.