Damage by insiders such as Sullivan "is an incredibly fast-growing problem," says Patrick Gray, who worked for the FBI for 20 years until he retired in late 2001 to join Internet Security Systems, a managed security company based in Atlanta. "It’s a tough threat that CIOs are going to have to address. Whether you’re a Fortune 100 company or a three or four person company, you still have to deal with that biosphere that sits between the keyboard and the chair."

Supposedly the wake-up calls came in 1996, in computer sabotage’s most famous chapter, when a former systems administrator at Omega Engineering in Bridgeport, N.J., unleashed malicious code that cost the company more than $10 million; in February 2002, Tim Lloyd, 39, was sentenced to 41 months in federal prison and ordered to pay Omega more than $2 million in restitution.

But the bells are still ringing.

This past January, Cumming, Ga.-based software vendor NetSupport worked with the FBI to arrest a sales manager who allegedly offered to sell the company’s customer list to at least two competitors for $20,000.

And in March, the FBI arrested a former employee of Global Crossing on charges of identity theft and posting threatening communications on the Internet?this after he allegedly posted menacing messages and personal information at his website (including Social Security numbers and birthdays) about hundreds of current and former employees at the communications company.

Those cases attract wide publicity, yet observers say they are surprised at how little companies do to minimize the risk posed by employees. "I’ll talk to my peers in other organizations, where it’s sort of, ’We think we’re protected?there’s a guy downstairs who takes care of it,’" says Tim Talbot, senior vice president and CIO at PHH Arval, a fleet-management company based in Hunt Valley, Md., that’s a subsidiary of the Avis Group. "OK, so the guy downstairs has never made a mistake, knowingly or unknowingly?"

Many companies don’t do enough to protect against insider threats because they are leery of breaking the trust they have built with their employees. Treat someone like a criminal, the thinking goes, and he might start to act like one. The good news is that there are some easy ways to improve internal security without making honest people feel like crooks?steps that will help protect against external threats as well. Here are five things you can do.

Emphasize Security from Day One

Good security starts with whom you hire, and that’s why it’s crucial to have a preemployment screening, including reference checks, says one executive who’s been there. "You really have to know the people that you’re hiring and make sure that their interests ally with yours," says Craig Goldberg, CEO of New York City-based Internet Trading Technologies, which successfully prosecuted two employees who, unhappy with the company, attempted extortion and then attacked the company’s systems. (Goldberg told his story at a recent CIO security forum webcast. Find it online at www.cio.com/printlinks.)