And in March, the FBI arrested a former employee of Global Crossing on charges of identity theft and posting threatening communications on the Internet--this after he allegedly posted menacing messages and personal information at his website (including Social Security numbers and birthdays) about hundreds of current and former employees at the communications company.

Those cases attract wide publicity, yet observers say they are surprised at how little companies do to minimize the risk posed by employees. "I'll talk to my peers in other organizations, where it's sort of, 'We think we're protected--there's a guy downstairs who takes care of it," says Tim Talbot, senior vice president and CIO at PHHArval, a fleet-management company based in Hunt Valley, Md., that's a subsidiary of the Avis Group. "OK, so the guy downstairs has never made a mistake, knowingly or unknowingly?"

Many companies don't do enough to protect against insider threats because they are leery of breaking the trust they have built with their employees. Treat someone like a criminal, the thinking goes, and he might start to act like one. The good news is that there are some easy ways to improve internal security without making honest people feel like crooks--steps that will help protect against external threats as well. Here are five things you can do.

1 Emphasize Security from Day One

Good security starts with whom you hire, and that's why it's crucialt o have a preemployment screening, including reference checks, says one executive who's been there. "You really have to know the people that you're hiring and make sure that their interests ally with yours," says Craig Goldberg, CEO of New York City-based InternetTrading Technologies, which successfully prosecuted two employees who, unhappy with the company, attempted extortion and then attacked the company's systems.

CIOs can also limit the damage any one employee can do by setting up access controls that map a person's job function to the resources he needs to do that job. Do that from day one, and your company can avoid giving the impression that access levels have to do with him as a person--they're simply part of a given job function.