Recent studies have shown that 50-70% of all attacks on information security are coming from within the organization, and often the length of time that the breach existed is unknown. There are many issues involved in closing the gaps that cause such insider incidents and strengthen the protection of data. Using the "need to know" principal, organizations can limit who has access to data. Controls that adjust given access rights to actual needs exist and should be utilized. This session will focus on how to adjust data access rights, implementing the "least privilege principal", and the use of detective and proactive risk-oriented controls.