"I may be the boss, but I probably only need the higher-level corporate financial information," he says. "Further, I don't need to see performance reviews for anyone that doesn't actually report directly to me."
It's always a matter of trust
Take these steps, he says, but recognize that in the end, everything is going to hang on trust.
"Numerous factors are increasing organizations' exposure to the threat posed by insiders, and technical controls are limited," Durbin says. "To combat the threat, organizations must invest in a deeper understanding of trust and work to improve the trustworthiness of insiders."
But trust flows both ways, he cautions. While taking pains to make sure your employees are trustworthy, the organization must also prove to its employees that it is trustworthy. For instance, Durbin says that if you monitor employee actions, it should be disclosed.
"You should be very open about what monitoring you have in place," he says. "If you work on a trading floor, you know that all of your actions are recorded. It's known and accepted."
On the other hand, if you monitor employee email traffic without communicating that fact or disclosing it in your policy, that destroys employee trust. And that's important, he says, because while insiders may pose a threat, your employees are also potentially your first line of defense, if they understand both the stakes and their responsibilities with regard to safeguarding data.
"The key is really about openness, trust and communication," Durbin says. "Make sure your policies are current and appropriate for the way you're doing business."
Sign up for CIO Asia eNewsletters.