Fun tip from SANS on insider attacks. What is the first item? This:
"keep good logs. Logs should show who is doing what to your data. In particular, if insiders use admin level access to change data or review users data."
Of course! While people continue the futile search for the ultimate anti-insider technology (free tip: it doesn't exist!), logs, which sit right under their noses, contain the records of all activities. Such info is extremely useful for investigating insider behavior today as well as - in the future, I hope - predicting their transgressions.
BTW, I wrote this great piece on using logs vs insiders (to be published in ISSA Journal in November - check it out when it hits the shelves)