SMEs must invest in security - and save money

Companies can reduce their insurance costs, legal liability and improve credit ratings if they can prove IT systems are prepared for disaster, according to US academics.

The International Center for Enterprise Preparedness (InterCEP) at New York University is attempting to convince US businesses that there are financial incentives to be had from investing in IT security.

Bill Raisch, executive director for InterCEP and a former 9/11 commission advisor, said: "We're trying to give the business recovery area greater ammunition. Negligence laws suggest we have a responsibility to our customers and we have found smaller companies are unprepared for this. So we're trying to get closer communications between businesses and the legal and insurance industries."

Research from analyst AMI-Partners found a quarter of small to medium-sized companies in the US have no IT security at all, while some companies that practice regular updates and have disaster recovery plans have boasted they saved money on insurance.

Donna Childs, CEO of Child's Capital, a small New York company which invests money to help developing countries, said: "In the [small business], ignorance is the key challenge. But I think what has been effective for us with security is insurance - we negotiated a 30 per cent discount so I've already earned a payback."

Speaking at an HP event in New York today, IT manager for design consultancy Atkins Jorgen Kjaerlund added that security was by default an insurance policy.

"Small companies pay a lot in insurance costs," said Kjaerlund. "But they need to think of security as insurance too. It's all about looking at what they can afford to lose and then looking at what they need to invest in."