I like the honeypot idea, but wouldn't you pretty much need a full-time sysadmin to maintain it and keep it looking current and monitor it? I guess the honeypot could trip an alert to network control if it goes active. What if Bob has a doctor appointment scheduled after lunch and doesn't come back? We think he just took off the rest of the day, but what actually happened is he's under the control of a bunch of rogue RPG developers and Oracle DBAs intent to do damage!
At one agency that I was at we had a pretty decent system: our normal workaday account had no admin privilege: normal email, internet access, whatever, that we could do. Our admin accounts had no internet or email access, we ran a VM OS to use them. So go ahead, give up your normal account: it doesn't get them in to the goodies. And if you give them your admin account, they have to have physical access, which normally means that you're screwed anyway.
I've always thought it'd be cool to have a encrypted list of questions and answers for key personnel accessing critical systems, they have to answer one or two plus a 'prove you're not a machine' question. But we know based on large data breeches and identity theft that even those aren't very secure. So set a team to try to break accounts based on public searches, and if they breech a question because of public data, they get a $50 bonus that the key person has to pay! They'd soon learn how to do better questions and answers.
I guess you could also do a 'No 'Lone Zone' rule where two people have to enter passwords to grant access to a critical system.
The scenario makes for a fun movie, and it may have happened in some form, but I think it falls in to the edge case that you just can't realistically defend against.
They should get Ben Affleck to play the IT geek for the movie version (even though Harrison Ford already did one, didn't he?), he had fun when he did Paycheck.
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]