Michael Krigsman at the ZDNet IT Failures blog turned up an interesting and somewhat frightening survey conducted recently by security firm Cyber-Ark. According to the survey (available for download after you surrender your personal information here), "The Global Recession and its Effect on Work Ethics", desperate employees worried about layoffs are a thing to be feared by CIOs and corporate security officers.

To start with, half of US respondents were afraid for their jobs at this point, a statistically improbable position to hold but entirely understandable given current conditions. When people are worried, they are willing to do things they might not normally do... and that's why CIOs should be worried, because far too many count on people doing what they normally do to provide a semblance of security, instead of actually implementing functional, objective security processes.

It turns out that 70% of the respondents would happily snoop around corporate systems using their IT access rights to look for information to improve their chances of being retained in the event of layoffs. More than half would look for assistance from IT staff with more powerful credentials in doing so. In the event they felt their job were in immediate danger, nearly 60% would download proprietary information so gained. Customer information, product information, secure access codes... it's all heading out the door on memory sticks, CDs, cameras, and via e-mail.

Cyber-Ark is a security firm, so of course the statistics should be taken with a grain of salt, but based on personal experience from the last tech downturn, I find them easy to swallow. It's always worth a reminder, anyway, that the majority of security breaches have always been internal. With the antivirus software technology available today, it's easier than ever to transport compromised information off-premises, and few corporations have taken the extensive steps required to properly segregate and secure data and user accounts. This is an extremely difficult and complex undertaking, of course, and it's even more complicated when attempting to impose such structure on a system not designed for it from the ground up. I suppose it's unlikely that in a time when security budgets are already on the chopping block that significant efforts will be made to correct the problem... but the threats are ratcheting up whether you acknowledge them or not.