Cyber Ethos

Facebook Linkedin Instagram Youtube
logo

Most Boards Have an Incident Response Plan They’ve Never Actually Tested

TL;DR: The NSW Treasury insider breach exposed how a trusted staff member accessed 5,600+ sensitive documents across multiple departments before detection. Most boards approve incident response plans built for external attacks, not insider threats. The gap between what boards think they’ve approved and what operates in practice leaves organisations vulnerable to legitimate users doing normal work at abnormal scale.

What you need to know:

  • Detection came only when documents moved to an external server, not during months of internal aggregation
  • Access controls approved by boards often permit single users to reach thousands of cross-departmental files
  • Most incident response plans have no decision framework for when trusted employee behaviour becomes a security incident
  • The CISO, not HR, should have default authority to classify anomalous data access as a potential security incident
  • Boards need explicit volume, velocity, and pattern thresholds that trigger escalation before thousands of documents move

What Happened in NSW

On 21 April 2026, the New South Wales Government disclosed a significant insider data breach. A Treasury staff member allegedly accessed and downloaded over 5,600 sensitive documents spanning multiple government departments and projects, then transferred them to an external server.

Internal security monitoring detected the issue. Police executed a search warrant. Devices were seized. Charges were laid for accessing or modifying restricted data.

The government emphasised there was no external compromise to systems and no impact to services.

Technically accurate. Wrong frame entirely.

The question is not whether systems stayed online. The question is whether your board’s incident response plan would have caught this pattern any sooner than NSW did.

I’ve sat in enough boardrooms to know the answer. Most plans would not.

Key insight: Systems integrity and data confidentiality are separate risk dimensions. Most boards conflate them.

How Boards Picture Insider Risk vs How It Actually Materialises

What stands out about this incident is how ordinary the threat vector looked.

Not a sophisticated external attacker. Not a Hollywood saboteur. A staff member in a normal role, with legitimate access, able to reach thousands of sensitive documents across multiple areas of government.

Boards still picture insider threats as rare, highly motivated bad actors. The NSW case shows the more realistic pattern: an ordinary employee doing something extra with access they already have.

The official statement stresses no external compromise. That focuses on system integrity. The core risk is confidentiality of information already taken by a staff member using authorised credentials.

I see this pattern repeatedly. Organisations over-index on defending against external intrusion. They under-index on monitoring how sensitive data moves internally and leaves via authorised accounts.

Key insight: Insider threats look like legitimate users doing normal activities at abnormal scale, not external attackers generating obvious signals.

What Boards Think They Approve vs What They Get

Boards approve access control policies believing they’re signing off on tight, principled control of who sees what.

What they often get is a framework that sounds strong but allows a single staff member to legitimately touch thousands of sensitive documents across multiple parts of the organisation.

The NSW facts are plain: within approved access and data governance settings, one official could reach and move a very large volume of sensitive, cross-departmental material using an internal account before detection.

This gap arises because:

Role descriptions are broad. Projects cross agency boundaries. Over time, individuals accumulate access well beyond strict need to know.

Data governance frameworks describe principles but don’t enforce hard technical segmentation between departments or projects sharing platforms.

Monitoring focuses on external attacks rather than fine-grained patterns of internal data aggregation and exfiltration.

Boards think they’ve approved least-privilege access and tight data boundaries. The operational reality still allows one person to lawfully touch a surprisingly wide pool of sensitive information.

Key insight: What boards approve on paper and what operates in practice are often two different architectures.

Why External Intrusion Monitoring Fails to Catch Internal Aggregation

In NSW, monitoring triggered when documents moved to an external server.

By then, the staff member had allegedly already accessed and downloaded more than 5,600 sensitive documents across multiple departments.

That gap is the problem.

Boards assume monitoring will flag insider issues early, the same way it flags external attackers. Wrong. External intrusion is detected when someone unusual tries to get in. Internal data aggregation is harder to spot because it’s a legitimate user doing normal things at abnormal scale.

External attackers generate signals: unusual logins, failed attempts, malware signatures, suspicious IP traffic. Monitoring is built to spot that.

With an insider, the account and device are both valid. The only way to distinguish normal from abnormal is behavioural analytics over time: one official suddenly touching documents from multiple departments at unusual volume.

That kind of monitoring is harder. Many organisations are still building it. This case shows how far an insider goes before behaviour crosses whatever threshold the tools and rules are set at.

Research shows the average time to contain an insider threat incident is 67 days. Only 12% of incidents are contained within 31 days. Incidents contained within 31 days cost $10.6 million annually. Those taking over 91 days cost $18.7 million, 76% more.

If you notice an insider after 5,600 documents have moved, your thresholds were tuned for comfort, not control.

Key insight: Perimeter-focused monitoring tells you when someone tries to break in, not when authorised users are quietly building their own breach from the inside.

The Question That Exposes the Missing Playbook Page

When I’m advising a board, I ask this:

“In your incident response plan, where is the first decision point that says: A staff member, in good standing, using normal credentials, has downloaded thousands of sensitive documents they’re technically allowed to see. At what point does this become an incident, who owns it, and what do we do in the first two hours?”

The silence after that question is the tell.

Most plans handle well:

  • External compromise of systems
  • Outages or service disruption
  • Clear data loss events like ransomware or large external leaks

They don’t spell out, in plain language, how to handle the NSW pattern: internal data aggregation across multiple departments and projects, using a legitimate account, with detection only at the point of external transfer.

Once a board sees that page is missing, they’re ready to talk seriously about insider risk, behaviour-based monitoring, and governance that treats this as a first-class scenario.

Key insight: Most incident response plans are event-centric (system under attack) rather than behaviour-centric (trusted user doing normal things at abnormal scale).

Who Owns the Decision When the Attacker Is on Payroll

Here’s the hardest part: who has the mandate to say this is now a security incident when the person in question is a trusted employee, not an obvious attacker.

In many organisations, authority to classify anomalous insider behaviour is implicit, spread between security, IT, HR, and legal. Exercised ad hoc, case by case, rather than defined clearly in the incident response plan.

That grey zone is where time is lost and accountability becomes fuzzy.

My position: if the behaviour involves access to systems or data (logins, downloads, transfers) the default framing should be potential security incident, not performance issue.

The incident response plan should state the CISO has the mandate to make the initial classification that anomalous insider behaviour is a security incident candidate, whilst HR and legal considerations are assessed in parallel.

The pushback I hear: If we let security classify this as an incident, we’ll overreact and trample HR process.

My response: classification is not conviction. Asking the CISO to flag a potential security incident is about protecting systems and information, preserving evidence, and activating the right governance early. Employment consequences still sit with HR and legal.

When you’re dealing with thousands of sensitive documents across multiple departments, you’re already in security incident territory, regardless of how the HR process plays out. The risk is to the information and the institution, not one employment relationship.

About 60% of organisations handle HR and security coordination via informal chats, ad hoc emails, or manual ticket creation, with no automated workflows. If the coordination between the two functions most critical to insider incident response exists primarily through informal chats, the incident response plan approved by the board is unexecutable under pressure.

Key insight: Security should have default authority to classify anomalous data access as a potential incident, with HR and legal as essential partners, not gatekeepers.

Three Questions That Pierce Through No External Compromise

In the first 24 hours after an insider incident is declared, a good board needs a clear, disciplined briefing and questions that cut through the theatre.

When boards get polished briefings focused on no external compromise and no service impact, these three follow-up questions force management from reassurance to substance:

Question 1: Exactly what was at stake before you contained it?

Cut straight past systems are fine to what could have gone wrong.

Phrase it: You’ve told us there was no external compromise and no impact to services. Before containment, what was the realistic worst-case impact on the confidentiality of our information, and which portfolios or stakeholder groups were in scope?

This forces management to talk about data, not systems. Forces them to articulate the governance perimeter: which business areas, agencies, or partners were potentially exposed, regardless of whether services stayed online.

Question 2: What did this incident reveal about our controls that we didn’t know last week?

Move them from narrative to learning.

Set the comforting language aside. Based on what we know so far, what has this incident revealed about gaps in our access controls, monitoring, or data governance that we genuinely didn’t appreciate a week ago?

This makes it unacceptable to present the event as a one-off aberration. A serious answer has to wrestle with whether thresholds were set too high, whether cross-portfolio access is too broad, or whether insider scenarios were under-represented in the incident playbook.

If they can’t name a single uncomfortable control gap they’ve found, they’re managing optics, not risk.

Question 3: Which decision are you delaying today that our future self will wish we took now?

Pull them out of the 24-hour news cycle into long-term accountability.

Looking at this insider incident, what is the one risk, control change, or notification decision you’re not making today because it’s uncomfortable, that a future inquiry, audit, or board will wish we’d acted on immediately?

This reframes the board’s role from passive recipient to future witness. Forces management to think about the long tail: regulatory scrutiny, cross-agency trust, precedent for future insider cases, and whether their current response will look adequate in six to twelve months.

Key insight: Boards that ask these three questions shift management from narrative management to risk management.

What Boards Still Underestimate After Cases Like NSW

Even after incidents like NSW, boards underestimate how much deliberate, ongoing design work is required to make insider threat a detectable, governable problem rather than a theoretical one.

In practical terms, they underestimate:

How hard it is to tune monitoring so a legitimate staff member aggregating sensitive data across departments is visible early, not only when a substantial cache heads to an external server.

How much discipline it takes to hard-wire insider scenarios into access design, incident playbooks, and governance, instead of assuming the existing external breach machinery will stretch to fit.

How actively they, as a board, have to keep asking the uncomfortable questions: thresholds, ownership, early escalation, and whether the plan they approved would have caught our version of the NSW staffer any sooner.

Only 49% of executive leaders believe their board members are fully aware of the risks their organisations face. If half of executive leaders don’t believe their own boards understand the risks they’re accountable for, incident response plans approved in those boardrooms are built on comfortable fictions rather than shared understanding.

Insider threat preparedness is not a policy to sign off once. It’s a continuous act of engineering and governance. Most boards treat it as an annual discussion topic, not a design problem they’re accountable for shaping and revisiting.

Key insight: Insider threat preparedness is continuous engineering and governance work, not a one-time policy approval.

Frequently Asked Questions

How do insider threats differ from external cyber attacks in terms of detection?

External attacks generate obvious signals: unusual login attempts, malware signatures, suspicious IP addresses. Insider threats involve legitimate users with valid credentials doing normal work at abnormal scale. Detection requires behavioural analytics that spot patterns over time, not perimeter defences that block unauthorised access.

What volume or pattern of document access should trigger a security incident classification?

Boards should demand thresholds for high-value data sets: at what volume of access or download by a single user does this automatically become a security alert? What velocity spike moves from normal busy period to suspicious activity? What pattern of cross-departmental or cross-system access by one user triggers escalation? The specific numbers depend on your environment, but the questions are universal.

Who should have authority to declare an insider situation a security incident?

The CISO should have default authority to classify anomalous data access involving systems or information as a potential security incident. HR and legal remain essential partners for employment process and procedural fairness, but they should not be gatekeepers who can quietly downgrade serious insider patterns to conduct matters without formal incident governance.

What should boards expect to hear in the first 24 hours after an insider incident?

A competent briefing covers four elements: nature of the incident (who, what data, which systems), status of containment and law enforcement engagement, preliminary data and stakeholder impact assessment, and clear governance and coordination structure with named accountable executives and next decision points requiring board involvement.

How long does it typically take to contain an insider threat?

Research shows the average containment time is 67 days. Only 12% of incidents are contained within 31 days. Speed matters financially: incidents contained within 31 days cost $10.6 million annually, whilst those taking over 91 days cost $18.7 million, 76% more. Detection speed directly impacts containment speed and financial exposure.

Why do access controls approved by boards often fail to prevent insider data aggregation?

Role descriptions are broad, projects cross organisational boundaries, and individuals accumulate access over time well beyond strict need to know. Data governance frameworks describe principles but don’t enforce hard technical segmentation. Monitoring focuses on external attacks rather than internal data movement patterns. The framework approved on paper operates differently in practice.

What percentage of organisations have formal HR and security coordination for insider incidents?

About 60% of organisations handle coordination via informal chats, ad hoc emails, or manual processes with no automated workflows. If the two functions most critical to insider incident response coordinate primarily through informal channels, the incident response plan is unexecutable under real pressure.

Should boards treat no external compromise as reassurance after an insider incident?

No. No external compromise addresses system integrity. The core risk in insider incidents is confidentiality of information already taken by authorised users. These are separate risk dimensions. Boards that accept no external compromise as the dominant message miss the actual governance exposure: what data was at stake, which stakeholders were affected, and what control gaps the incident revealed.

What This Means for Your Board

A staff member allegedly accessed and downloaded over 5,600 sensitive documents across multiple government departments before a suspected transfer to an external server triggered detection.

Not a story about one individual.

A story about how our systems, our monitoring, and our governance are wired.

Until boards see insider preparedness as a design problem they must keep reshaping, rather than a policy they approve once, they’ll continue to be surprised by threats already inside the building.

The question is not whether your organisation could face an insider incident. The question is whether your incident response plan would recognise it before thousands of documents have already moved.

Most boards don’t know the answer because they’ve never asked the question.

Now is the time to ask.

Key Takeaways

  • The NSW Treasury breach shows how trusted insiders with legitimate access can aggregate thousands of sensitive documents across departments before detection at the point of external transfer.
  • Most incident response plans are built for external attacks (event-centric) rather than insider threats (behaviour-centric), leaving a critical gap when authorised users do normal work at abnormal scale.
  • Boards approve access controls and data governance frameworks on paper that operate very differently in practice, allowing single users far broader reach than intended.
  • Detection of insider threats requires behavioural analytics over time, not perimeter monitoring designed to catch external intrusion attempts.
  • The CISO should have default authority to classify anomalous data access as a potential security incident, with HR and legal as partners, not gatekeepers.
  • Boards must demand explicit volume, velocity, and pattern thresholds that trigger escalation, and ask whether their plan would catch their version of the NSW pattern any sooner.
  • Insider threat preparedness is continuous engineering and governance work, not a one-time policy approval, requiring boards to actively revisit thresholds, ownership, and escalation protocols.
Kiran Kewalramani

Kiran Kewalramani

Kiran Kewalramani stands as an acclaimed technologist with over two decades of robust executive experience in technology, cybersecurity, data privacy and cloud solution enablement. His illustrious career has been marked by transformative roles in esteemed organizations, including Cyber Ethos, Queensland Department of Education, Gladstone Area Water Board, NSW Rural Fire Service, NSW Police Force, Telstra, American Express, and more.

Linkedin Instagram Facebook