By enforcing the principle of least privilege, employees only have the minimum level of access necessary to perform their duties. This effectively reduces the attack surface and limits the potential damage an insider could do, as their ability to access sensitive resources is restricted. Regular audits and security awareness training are important but they are more about detecting and educating against insider threats rather than preventing the actual damage. A reporting and response plan is reactive, coming into play after an incident has occurred, rather than proactively reducing risk.