At least for me - rules learned in 70's in insurance business, etc. I used to hire an outside security company to check all that kind of holes in our security because trying to find those yourself doesn't always work. Why, because people know you so they automatically trust you more and are more careless. Of course you can always tell them that you shouldn't do this or that but if they get it on report (not always published - heh!) from outsider it is more effective.

In IT, we had very strong(?) authentication, authorization and auditing in place - accessing the system of company information and even for all the HW and HW manuals. Did catch one industrial spy, credentials correct but the operators got suspicious and called cops. Did catch many insiders - some mistakes, some malicious (big ones - a lot of money going around..) Competitors were not so bad, they had the same problems so we did work together - a meeting once a month on security and if any did even think someone distributing inside information, all were informed and it was checked out.

Today the view is a little (not much) different, Internet has created it's own problems, but the basics haven't changed. Don't leave information unsafe, don't let unauthorized persons to see it, try to minimize the mistakes caused by technology, layer you security and, most important, test and audit the security regularly.