Quite hard to prove an insider job too.
Its possible to know data accessed, but if nothing *obviously* done with that data (& user has legit reasons to access the data) then nothing obviously bad has occurred.
If decent measures in place (e.g. no external USB / bluetooth devices allowed, no user devices on wifi network, restricted internet access so no copying to third party site / emailing data to someone, logs of any files created / printed by the user and their contents, company mobiles locked down & monitored, etc, etc, etc.) still cannot be sure no data "theft" as a quick (personal) mobile phone photo or several can capture a lot of useful data when e.g. having opened customer database as part of legit fault fixing...
I'm sure plenty of places suspect data theft but have no proof unless the thief left traces.
Though I would be more suspicious of the manager / sales people in data slurping than the IT bods as its much rarer an IT person (compared to sales etc staff) goes to work for a competing company in same market area as a lot of alternative IT options, less so for sales staff in a particular "niche" area (& lets face it, a certain subset of sales staff have a rep for taking their contacts list with them from job to job as part of the job offer made to them is based on the value of their relationships with customers in their "area" of sales).