Monday, Aug. 2, was anything but an ordinary workday -- at least in New York and Washington. Police officers carrying semi-automatic rifles rode the capital's Metro subway trains. Commercial trucks were barred from entering Lower Manhattan through the Holland Tunnel. Harried workers in key financial centers -- the New York Stock Exchange, Citigroup's midtown headquarters, and the World Bank-International Monetary Fund complex in Washington's Foggy Bottom -- endured long lines for ID checks, police dogs sniffing their briefcases, and intense screening on their way to work.
But elsewhere in America, screaming headlines about al Qaeda's plans to attack financial targets hardly ruffled the doldrums of deep summer. The nation's tallest building, Chicago's 110-story Sears Tower, didn't add to its 100 security guards. In Cincinnati, Procter & Gamble Co. (PG) said it was content with its current level of security at home and abroad. Disneyland and Warner Brothers Inc. (TWX) in Southern California added no new security above the enhanced levels that followed the September 11 attacks. The message was the same at Boeing Co.'s (BA) sprawling Seattle aircraft plants. Only in San Francisco was added police activity visible. Computer files captured from al Qaeda operatives in Pakistan mentioned the city's 52-story Bank of America Center -- which also houses Goldman, Sachs & Co. (GS) and Morgan Stanley (MWD) branches.
Three years after September 11, U.S. companies have widely divergent approaches to security -- ranging from lax to intense -- based on whether their industries are considered vulnerable and where they are located. Companies headquartered in Washington and New York, cities already hit by al Qaeda, are spending freely on security and redundant control and communications systems.
But even as Homeland Security Secretary Tom Ridge warns of heightened risk of a preelection terror attack, businesses in other major cities are taking more of a cost-benefit approach -- and deciding that the safeguards they've added since September 11 will meet the risks they're likely to face. Nearly 40% of the top executives of 96 midsize companies recently surveyed by the Conference Board agreed that "security is an expense that ought to be minimized." The Conference Board study found that 45% of the companies reported spending no more on security than before September 11. Some "keep betting that it's not going to happen" to them, says former New York Mayor Rudolph W. Giuliani, who now runs a private security consulting firm. "You have to have your head in the sand not to be doing anything about [terror] if you are responsible for large numbers of people."
Still, it makes sense for the obvious targets to do the most to boost the security of their buildings and employees. That explains why the financial industry has taken the lead. Building on the hard-won lessons of the 2003 blackout, Hurricane Isabel, Y2K upgrades, and the four-day shutdown of the NYSE after September 11 -- the industry has invested heavily in redundant networks and emergency plans. As a result, the odds that markets and money flows will function if another attack occurs are much improved.
Unfortunately, that has turned Wall Street into something of a bunker these days. Investment banks, some of which were forced to abandon their headquarters after September 11, are spending as much as three to four times more on security than they did before the attack. "The financial-services industry is simply smarter than the federal government about this," says Larry C. Johnson, a former CIA counterterrorism expert and CEO of risk-management firm BERG Associates LLC.
Today, the NYSE has an upgraded backup facility -- in an undisclosed location -- that could take over trading within hours of an attack near the corner of Wall and Broad Streets. Vows CEO John A. Thain: "We will not be intimidated by terrorists." Similarly, the Federal Reserve Bank of New York, which responds to crises such as 1987's Black Monday by flooding markets with liquidity, can quickly shift its open-market operations to satellite offices in East Rutherford, N.J., or one of the 11 other regional Fed banks.
"LESS VISIBLE MEASURES"
At Citigroup (C), whose headquarters was targeted by al Qaeda, the bank is on high alert through the coming Aug. 30-Sept. 2 Republican National Convention. Visitors can expect heightened ID checks and baggage screenings along with "certain less visible measures" that the company won't detail. Granted, none of this guarantees that another massive assault wouldn't disrupt markets. But experts say the truck-bomb attacks detailed in the latest al Qaeda intercepts would not shut down either Wall Street or the economy.
In Washington and New York, the latest terror alert had security consultants hopping. "Our phones are ringing off the hook," says Howard Safir, a former New York City police commissioner and now a partner in Safir Rosetti, Inc. a New York security consulting firm. He says the specificity of the terror alert "really got people's attention. A lot of [companies] that were hesitant to move forward want to do it now."
He and others say they're typically called in to evaluate physical security and advise companies on what's missing. The next step -- only lately being undertaken by companies outside the high-risk zones -- is to add such enhancements as off-site emergency offices and data storage to their capital budgets. James Lee Witt, the Clinton Administration's disaster chief and now a private consultant, recently drew up such plans for clients ranging from the University of Southern California to Nextel (IBM), in addition to reviewing emergency plans for Entergy's Indian Point nuclear plant near New York City.
For companies outside major urban areas that feel they have already taken sufficient precautions, cost is a big issue. With the recession still fresh in execs' minds, many remain unwilling to spend on anything that won't generate profits. In the absence of official security mandates, many "are reluctant to spend money if their competitors aren't doing the same because they fear it could put them at a cost disadvantage," says Randall Larsen, CEO of Alexandria (Va.) consultant Homeland Security Associates.
Yet not all the solutions are costly. Security cameras outfitted with software to recognize unusual situations or movements can replace guards. Blastproofing windows with special films could avert injuries from explosions. Planning in advance for off-site workspace or communications in the event of an emergency can get a company up and running quickly after an attack. And smart companies give their workers an 800 number to call in emergencies.
THICK WALLS, LOW PROFILE
Along with upgrading security cameras, bolstering ID checks, and improving other on-site protections, security experts argue that more companies, particularly outside the Washington-to-Boston corridor, need to strengthen what's known as "business continuity planning." Unmarked buildings such as one data center in an unremarkable office park near Dulles International Airport serve as insurance against both terrorist assault and natural disasters. The facility was built to house Web and database servers and communications gear for financial institutions and others. Its windows are fake and the exterior walls are constructed with a sandwich of blast-proof Kevlar between two layers of concrete block. Power comes from two separate mains, with a diesel generator for blackouts. Access is through double doors by a biometric handprint reader.
The good news, experts say, is that business is starting to look to leading industries, such as financial services, as a model. Business Executives for National Security, a Washington-based group of CEO volunteers, is spearheading an effort in New Jersey to create a database of trucks, food, and medicine that could be used in an emergency. The group is even pestering the federal government to do a better job of backing up its own financial data. Steve Chupa, security director of a large company in New Jersey, even has some praise for Washington for identifying buildings targeted by al Qaeda. "It doesn't matter so much that the information [the Homeland Security Dept.] is giving us is dated," he says. "The lesson is, they are finally sharing."
No doubt business remains on a steep learning curve. But the lessons of September 11 and its aftermath -- plus hurricanes, blackouts, and computer glitches -- are starting to spread. Is America safe? Not yet -- and it has a long way to go.
By Paul Magnusson, with Emily Thornton, Diane Brady, and Spencer Ante in New York, with bureau reports