You have to consider the source, but it probably shouldn't surprise anyone who has been in the industry very long that a substantial portion of IT staff would plan to walk out the door with sensitive company information if laid off.

The study, commissioned by password vault software maker Cyber-Ark, exposes and perhaps exaggerates what has been an open secret in IT circles almost since the dawn of the profession: relatively low-level, disrespected, unrecognized IT staff have their companies by the balls. While no one is irreplaceable, it turns out that there are quite a few who can make themselves downright unpleasant should they be replaced.

Of course this is exactly the sort of finding you would expect from a study conducted by a company like Cyber-Ark, and I don't believe that the specifics should be taken any more seriously than any of those virus studies sponsored by McAfee. Although such incidents, should they occur, are certain to be hushed up, you don't hear about them every week, and if approaching 90% of laid-off IT staff were walking out with such information, you would be. But I've seen a few people let go in my time, and there have certainly been those who, to a greater or lesser degree, decided to let acrimony interfere with judgement and attempt to disappear with company equipment or information, or disrupt what was left behind. In some cases, it was difficult to tell if the disruption was intentional or simply a result of incompetence, but from the point of view of the business, it makes little difference.

This being the case, it is still surprising that so many organizations which put time and effort into securing their perimeter do so little to ensure that their internal systems are secure from their own technical staff. The threat is both greater and more real than that from external sources.

Internal security is harder to accomplish, however, and especially with regard to technical staff. By nature, the roles of IT staff require access, and there is no way to both allow them to administer systems (or secure them from others) without allowing them sufficient access to either walk off with important information or cause considerable disruption. Because it's hard, and because it's off the radar of many corporate officers, little is done to address it. On some occasions I've heard concerns over the matter dismissed out of hand simply because it was assumed that no solution could be had.

There are solutions, though, they simply aren't easy. You can't lock out your admins, but what you can do is put systems in place to conduct rigorous logging and auditing, and to require mutual reliance between staff for access to sensitive information. Compartmentalization is also an old standby which can dramatically reduce expose to internal threats. All these things require considerable planning and consideration, but as with all security efforts, they must be judged against the exposure... and the exposure is usually considerable.