Encrypting internal data on disk systems is viewed as one viable way of protecting sensitive data, but both Avery and Oltsik say very few companies use this solution.

According to Ralf Saykiewicz, managing partner at XaHertz Consulting in Orlando, only very large companies, such as Target Corp., Wal-Mart Stores Inc., Accenture Ltd. and IBM Global Services practice this strategy. Saykiewicz says that in a multinational company of 15,000 employees, 20 to 30 people at headquarters alone would have high-level data access.

Hanging a price tag on the development of a secure internal IT infrastructure is an inexact science at best, but price tags would likely range from US$100,000 to $1 million, according to analysts. "I'd probably say you're looking at a million bucks or so," Avery says, pointing to the costs of hardware, software and salaries. Adds Saykiewicz, "I would give you a very ballpark figure of between $100,000 and a quarter million dollars. You need to put in the consulting time, and you need to put in the software."

In large part, the justification for comprehensive security systems is attributable to the largely unknown number of internal security breaches that are increasingly plaguing companies. Documenting these abuses is difficult because so many of them are never reported because of concerns over the negative public relations fallout.

For the first time, the CSI/FBI Computer Crime and Security Survey in 2006 asked 536 respondents to estimate attacks coming from inside an organization versus those from outside. More than one-third (37 percent) of respondents attributed more than 20 percent of their company's losses to insiders. Another 29 percent attribute a percentage of losses less than 20 percent to actions of insiders. Only 7 percent of respondents thought that insiders account for more than 80 percent of their organization's losses. Lastly, 32 percent said that insider threats account for none of their cyber losses.