[whyever]

They main defense against internal attacks is bookkeeping. Banks have been dealing with this for thousands of years. I recommend the corresponding chapter in Security Engineering by Ross Anderson: https://www.cl.cam.ac.uk/archive/rja14/Papers/SEv3-ch12.pdf

[SoftTalker]

Bookkeeping will alert you to employees stealing your money. It won't alert you to employees selling information.

[whyever]

Access logs do help with this. They have been successfully used by the police to identify rogue officers abusing their access to police databases.