The more money that companies spend on securing their IT operations from external attack, the more it seems they become aware that the potential threat posed by their own employees remains their most significant risk.

A new study published by consultants Deloitte on Tuesday finds that financial services companies -- among the most advanced and deep-pocketed consumers of security technologies in the world -- are still struggling with the concept of handling the insider threat issue despite all the cash they're dropping on security technologies.

In the survey of 100 global financial services firms, Deloitte found that 91 percent of those questioned were concerned about their inability to respond to insider threats, while 79 percent were willing to cite "the human factor" as the root cause for a majority of their security issues.

Despite that and all the different types of security tools companies have adopted, the survey found that 22 percent of the companies interviewed hadn't provided any new security training to their workers in the past year, and only 30 percent indicated a belief that their current employees were skilled enough to respond to an emerging security crisis.

The apparent lack of faith in their ability to control the insider threat shows that many businesses are aware that they are only just beginning to tackle the problem, report authors said.

"The contradictory findings highlight the security paradox financial institutions are facing," Mark Steinhoff, leader of the firm's financial security and privacy services practice, said in the report. "Security training and awareness, along with access and identity management -- of employees, clients, and suppliers alike -- are among organizations' top initiatives this year as they fight to keep pace with the ever-changing threat landscape."

Beyond training, more companies are also enlisting the help of additional security systems aimed specifically at thwarting internal attacks and preventing mistaken data breaches.

In addition to tools that offer the ability to track IT systems usage more comprehensively -- and create electronic paper trails that give forensics experts a string of clues when investigating any misbehavior or mistake -- enterprise organizations claim that they are also blending physical and IT security to stay abreast of what their workers are up to.

"We've been putting cameras on all entrances and exits, looking at using badge numbers for tracking purposes, and keeping a closer eye on what people are doing and where they are going," said Adam Le, director of IT infrastructure at Alliance Imaging, a healthcare testing specialist. "We're also contemplating things like fingerprint scanners and other biometrics and looking at encrypting all data at rest on laptops."

Companies walk a fine line in balancing the need to watch over their workers for security purposes and becoming too intrusive, the expert admitted. However, Le said that with businesses like Alliance facing mounting pressure from regulators to lock down every piece of patient data they record, employees must understand that the process is about protecting the firm and not about assessing personal work habits.

In another effort to deal with the insider threat, Alliance, which provides outsourced medical imaging capabilities to hospitals and other healthcare organizations, has added new user authentication and monitoring tools made by ConSentry to its IT environment.

By increasing security for remote workers and giving the firm a more detailed roadmap of file access activities carried out by its employees and customers, Le said he believes Alliance is finally getting ahead of the insider problem and arming itself with a way to keep everyone honest.

One of the most significant issues the company has dealt with in the past are efforts by insiders to view the records of famous or high-profile patients, activities that are directly at odds with the Health Insurance Portability and Accountability Act medical data protection regulation.

In some cases, the incidents have been the result of mere nosiness, while in others, the firm suspects that workers may have been looking to share sensitive data with outsiders for a profit.

After conducting both technological and physical penetration tests on its operations, Le said that Alliance feels it is making the right moves to address the issue after augmenting its operations as such.

"With the threat of data theft for identity fraud or to get information on our high-profile customers, we had to work to get a better picture of who was accessing what files," said Le. "Since putting the tools in place, we've been able to track people down when they do something wrong, and I think that type of response travels among workers by word of mouth; overall those types of issue have almost disappeared now that people know that their activities will be monitored."