Information security is only a small part of the equation, the overall attitude to and implementation of "Protective Security" which encompasses physical, information and personnel security is the key.
But given trusted insiders are personnel consider this.
Most companies rely solely on the recruitment process which onlydetermines an employee's job suitability but does not determine suitability to access resources of a confidential or commercially sensitive nature. Th recruitment process does facilitate appropriate levels of vetting to determine if there is anything in a persons character or background that could lead to them becoming the next "trusted insider". Companies rely on technology which can be bypassed where as the problem is a "Human Factor" problem.
A well designed and targeted vetting program that looks into an employee's history and lifestyle to determine if they are a security risk is critical. Another area that most companies overlooks is "Security Awareness", Security Awareness training should be mandatory annually to remind employees of their obligation to protect company resources and to educate them about the threats the company faces be it cyber or trusted insider. Teaching employees to notice when someone's behavior has significantly changed which indicate the person is a potential threat, reporting it and the sensitive handling of the matter are all critical to mitigating the risk from the trusted insider. Until organisations implement these sort of mitigation tactics the problem will only get worse.
Keep Up with TechRepublic