Security executives have admitted that their companies
do not have plans to cope with the effect of an unconventional
terrorist attack, even though most believe that a terrorist attack
of some kind is likely in the coming months, according to a
poll.
US title CSO magazine surveyed 476 chief security officers
(CSOs) and senior security executives, and found that 60% believe
that a terrorist attack is likely in Boston or New York.
While 63% of CSOs say their companies have planned for such
attacks if conventional means, such as bombings or hostage taking,
are used, 61% say that they have not planned for unconventional
attacks using chemical, biological or nuclear weapons.
The online survey of CSO subscribers was conducted between 27
April and 18 May, and has a 4.5% margin of error. The subscribers
were asked their opinions on a number of issues, including
terrorism, politics, information technology security policy and
purchasing decisions.
The CSOs' concerns about terrorism probably mirror general
concern in the US about terrorist attacks. However, about half of
CSOs have backgrounds in law enforcement and most of those still
maintain contact with former colleagues, which may give them an
inside line on possible threats, said CSO editor-in-chief Lew
McCreary.
While planning for unconventional terrorist attacks is rare, the
CSOs reported much better preparation for more common threats such
as cyberattacks, natural disasters and violent employees.
Ninety-four per cent of those surveyed have contingency plans in
place for natural disasters and 86% for cyberattacks. Eighty per
cent said their companies are prepared for attacks from violent
employees or former employees.
The survey did show that companies are quick to slam the door on
former employees. Seventy-four per cent of those surveyed block
network access to e-mail and critical documents within one business
day of employees being fired or leaving a company and 81% block
physical access within one business day.
The theft of intellectual property or other proprietary
information is a top concern of CSOs, with 91% of those surveyed
saying that managing access to critical information and documents
was either "extremely important" or "very important".
The study also showed those concerns are often well placed.
Fifteen per cent said that their employer lost or had critical
documents or corporate information copied without authorisation in
the past year. Almost a quarter of those responding said they could
not be sure whether such losses had occurred at their company.
However, concerns about the theft of proprietary information are
not influencing decisions about what security products to buy. Only
11% of CSOs surveyed said that the theft of intellectual property
was the primary factor in security spending, which averaged $16.6m
a year for those surveyed. Instead, the desire to comply with
government regulations is a bigger motivator for CSOs, with 49%
citing "issues related to regulatory compliance" as the prime
reason behind their security purchases.
Companies need to have policies and processes in place that
protect their most important assets and ensure the safety and
welfare of their employees, McCreary said. Among other things,
organisations shown to have ignored the interests of either
shareholders or employees in the wake of a disaster could be held
liable for losses and damage.
Clearly articulated policies and procedures for emergencies and
frequent exercises that reinforce those procedures are a good place
to start, he adde, but companies also need to weigh the costs and
benefits of any plans to guard against attacks, including those
using weapons of mass destruction.
"Companies can't go crazy worrying about the likelihood of a
terrorist event if the cost of remediating such an event is going
to be prohibitive," he said.
Paul Roberts writes for IDG News
Service