A majority of security executives surveyed say that their companies do not have plans to cope with the effect of an unconventional terrorist attack, even though most believe that a terrorist attack of some kind is likely in the coming months, according to the results of a poll from CSO US magazine released on Wednesday.
The survey of 476 chief security officers (CSOs) and senior security executives found that 60 percent believe that a terrorist attack is likely in Boston or New York City, which are hosting the Democratic and Republican political conventions in coming weeks. While 63 percent of CSOs say their companies have planned for such attacks if conventional means, such as bombings or hostage taking, are used, 61 percent say that they have not planned for unconventional attacks using chemical, biological or nuclear weapons, according to a statement released by CSO.
The online survey of CSO subscribers was conducted between April 27 and May 18, 2004, and has a 4.5 percent margin of error. CSO subscribers were asked their opinions on a number of issues, including terrorism, politics, information technology security policy and purchasing decisions.
The CSOs' concerns about terrorism probably mirror general concern in the U.S. about terrorist attacks. However, about half of CSOs have backgrounds in law enforcement and most of those still maintain contact with former colleagues, which may give them an inside line on possible threats, said Lew McCreary, CSO editor-in-chief.
While planning for unconventional terrorist attacks is rare, the CSOs reported much better preparation for more common threats such as cyberattacks, natural disasters and violent employees. Ninety-four percent of those surveyed have contingency plans in place for natural disasters and 86 percent for cyberattacks. Eighty percent said their companies are prepared for attacks from violent employees or former employees.
Indeed, the survey showed that companies are quick to slam the door on former employees. Seventy-four percent of those surveyed block network access to e-mail and critical documents within one business day of employees being fired or leaving a company and 81 percent block physical access within one business day.
The theft of intellectual property or other proprietary information is a top concern of CSOs, with 91 percent of those surveyed saying that managing access to critical information and documents was either "extremely important" or "very important."
The study also showed those concerns are often well-placed. Fifteen percent of those responding to the survey said that their employer lost or had critical documents or corporate information copied without authorization in the last year. Almost one quarter of those responding said they could not be sure whether such losses had occurred at their company.
However, concerns about the theft of proprietary information are not influencing decisions about what security products to buy. Only 11 percent of CSOs surveyed said that the theft of intellectual property was the primary factor in security spending, which averaged US$16.6 million a year for those surveyed. Instead, the desire to comply with government regulations is a bigger motivator for CSOs. Forty-nine percent cited "issues related to regulatory compliance" as the prime reason behind their security purchases, the study found.
Companies need to have policies and processes in place that protect their most important assets and ensure the safety and welfare of their employees, McCreary said. Among other things, organizations shown to have ignored the interests of either shareholders or employees in the wake of a disaster could be held legally liable for losses and damage.
Clearly articulated policies and procedures for emergencies and frequent exercises that reinforce those procedures are a good place to start, he said. But companies also need to weigh the costs and benefits of any plans to guard against attacks, including those using weapons of mass destruction, McCreary said.
"Companies can't go crazy worrying about the likelihood of a terrorist event if the cost of remediating such an event is going to be prohibitive," he said.
CSO magazine is published by International Data Group, which also owns the Computerworld site.