Washington, D.C.-based IOMA released figures from a study that gauged just how prepared corporations were for a terrorist strike. Although the results were somewhat discouraging, it is the hope of the study's authors that the information will serve as a benchmark for companies in their anti-terror efforts.
"Terrorism is really a unique security challenge for private companies," says Garett Seivold, editor with IOMA and one of the researchers. "For one thing, because events are rare, probability information is useless. And because most businesses don't have regulations telling them specifically what they need to do, there is nothing telling them when they've done enough. Also, as 9/11 showed, organizations can't afford complete protection against every attack scenario, which forces a business to decide which risks it is willing to live with."
All these factors, he says, make it extremely difficult for a company to judge whether it is spending too much or too little on terrorism prevention and mitigation. Therefore, according to Seivold, the goal of this survey was to help organizations with making these tough decisions by allowing them to compare their response against the actions of others.
Among the findings was that many of the corporate security executives in the study believed the odds are better than 50/50 that a terrorist event will have at least a moderate impact on their organization by the end of the decade. However, in six of 10 attack scenarios, organizations said they have taken less than 50 percent of the security measures that they should. Further, 16 percent of respondents said they discovered that their company was under terrorist surveillance since 9/11 and 13 percent received specific terrorist threats.
IOMA surveyed a total of 228 respondents from a cross-section of industries, including financial services. Those participants from this sector believed the greatest threat to them lies in cyber attacks that would affect their IT networks, according to Seivold. This is exactly where they are concentrating their security efforts.
One question asked respondents to rate on a scale of one to 10 (with 10 being extremely likely) whether they believed a terrorist event would have at least a moderate impact on the organization-including its people, assets or operations. The average response for banks was 6.2, compared with 5.8 for all other respondents. Therefore, the terror issue is definitely top of mind for banks.
"In light of how they perceive the risk, security representatives at financial services [companies] believe they have taken only 22 percent of the security measures they need to take against an area-wide chemical, biological or radiological event, and only 23 percent of the necessary measures to protect against a suicide bomber," Seivold adds.
The study also mentions that companies are spending more on anti-terror efforts in industries that have more anti-terror regulations. As a highly regulated industry, the study showed that these firms were spending more dollars on anti-terror efforts. "The results showed that banks spent significantly more on anti-terrorism in 2005 than companies that do not fall under any anti-terrorism regulations," explains Seivold. "However, banks' average spending was actually less than in some other industries that do fall under regulations. However, we only benchmarked 2005 spending; it may be that the banks in our survey had already invested heavily in anti-terrorism in 2004 or earlier."
He goes on to say that companies have done much more preparation on the operational side -- areas such as intrusion detection, surveillance and mailroom training -- than they have on the design and structural side, such as tightening security around ventilation systems or investing in blast-resistance. "And that's smart, since operational improvements tend to be cheaper and often provide ancillary protection (against theft, for instance). But it's important for most businesses to acknowledge that they are more likely to suffer collateral damage from a terrorist attack on a facility down the block than they are to be the direct target of attack, so structural security should play a major role in anti-terrorism," he advises.
Seivold also once again notes the close relationship between spending on anti-terrorism and the degree to which an industry is regulated. As a result, "it would be hard not to acknowledge the role that regulation may need to play in specific areas of vulnerability, although it is clearly more useful to provide companies with incentives to invest in anti-terrorism," he relates. "Companies face myriad competing security risks and if you want them to target their security efforts in any one particular area then you should provide them help and encouragement to do so."