A well-trained, well-educated and suitably motivated workforce is one of the most cost effective means of ensuring ongoing information security. It is recognised, however, that malevolent or ill-disposed staff can pose a real threat to a company's information assets.

To address this, there are a variety of measures that can be used to reduce the risk. These include:

1. incorporarting security in job descriptions - this should include any general responsibilities for the implementation or maintenance of security, as well as any specific responsibilities such as the execution of a particular process, e.g. virus scanning, back-ups.

2. Personnel screening - where possible verification checks on permanent staff should be carried out at the time of job application. This may include the use of character references, a check of the C.V, confirmation of a claimed academic record and professional qualifications. These checks could be extended when an individual is to have access to sensitive information. It is important that similarly appropriate checks are made on contractors and temporary staff who have the same access as permanent staff.

3. Using confidentiality agreements as part of any employment agreement.