Mid Market Getting Serious About Security -- For The Most Part

Most mid-market companies view their current spending on security as a sound business investment, but a large minority sees it as an expense that must be minimized, according to The Conference Board's latest report on corporate security practices, sponsored by the Department of Homeland Security.

The cross-country survey shows that 61 percent endorse the business case argument that security provides value for their firms and a positive return on investment, but 39 percent say that security is simply a cost that must be tightly controlled. Strongest support for security spending is in the so-called "critical industries" "transportation, energy and utilities, financial services, media and telecommunications, information technology, and healthcare. Increases in security spending are lowest among the smallest companies.

Most surveyed companies, however, report little increase in security spending since 9/11. In fact, fully 45 percent say they have not increased their spending since the terrorist attacks in 2001 and 1 percent say they have actually cut back on security spending.

Could Smaller U.S. Firms Survive a Major Attack?

"The most alarming finding is that only 28 percent of mid-market companies have an off-site center for emergency operations. This suggests that many smaller American firms would have difficulty conducting their business in the event of a prolonged power outage or closure of their primary facility," says Tom Cavanagh, The Conference Board's corporate security expert and author of the report."Given the vital role played by smaller companies in the U.S. economy, the economic impact could be quite severe should we suffer another 9/11 type attack in heavily populated areas."

Some Security Officers Seldom See Their CEO

Approximately 21 percent of chief executives report that they meet with their top security officer at least weekly, and an additional 25 percent meet at least monthly. But 28 percent meet with their security directors only a few times a year, and 26 percent report that they have never met with the security chief at any time during the previous year.

Access of security officers to their CEO has a direct impact on security spending. Three-quarters of the companies that hold weekly security meetings with top executives report an increase in security spending since 9/11, compared to only 30 percent of those firms where the chief executive never meets. In companies with senior-level security meetings at least once a month, at least 30 percent report an increase in spending of 10 percent or more, compared with 19 percent of companies with occasional senior-level meetings and 9 percent of companies where the chief executive and security director never meet.

The Conference Board study finds that the smaller the company, the less likely its board of directors is to establish written security guidelines, and the less likely the company has procedures in place to handle security problems.By comparison, 71 percent of larger mid-market companies have board-approved written guidelines on disaster recovery and business continuity, compared with 43 percent of smaller companies. Only about one-third of mid-market companies, regardless of size, report that the board has approved written policies dealing with routine security issues.

The Impact of Terrorism and More Recent Disasters

Nearly 80 percent of companies surveyed report a disruption in business travel due to the terror attacks in September 2001, and 47 percent report a drop in revenues. This trend was found in all major regions of the country.

In the nation as a whole, 16 percent of businesses report that they closed operations as a result of the August 6, 2003 power outage, the same as during the terror attacks. In some respects, the blackout had a greater impact on company operations. As a result of the blackout, 22 percent of companies lost electric power, 18 percent lost telephone service, and 17 percent lost Internet access. These percentages are all in the low single digits for 9/11.

The most significant differences are seen in the disruption of business travel (71 percent from 9/11 vs. 21 percent in the blackout) and a drop in revenues (47 percent vs. 13 percent). These problems account for the severity of the impact of the terror strikes. Chief executives consider these economic impacts even more important than the temporary loss of networked services. The report concludes that future assessment of corporate vulnerabilities should bear such findings in mind.0