Penetration Test novice

Hi,

We are trying to sort out a pen test on a new building that we are
moving into with new network and technology.

Would you say that the most important part of a pen test is the threat
from internal users and what can be done to minimise this?

This is a novice question, but just trying to work out how all this
should be done properly.

We are concerned that data could leave the building one way or
another.

Many Thanks for any help,

Phil