The Threat Inside the Building: Lessons from the NSW Treasury Data Breach

When we think about cyber threats, most of us picture someone on the other side of the world trying to break through a firewall. The NSW Treasury breach, announced by the NSW Treasurer on 21 April 2026, is a reminder that the risk isn’t always external.

In this case, it wasn’t ransomware or a phishing email. It was allegedly a staff member transferring a large volume of confidential commercial and financial documents to an external server. The investigation, known as Strike Force Civic, resulted in criminal charges within 48 hours, and the data was secured before it could be leaked or sold.

That outcome wasn’t luck. It was the result of having the right monitoring in place.

Why Insider Threats Are Harder to Catch

In a small business, trust is essential. You know your people. That familiarity is one of your strengths, but it can also create blind spots.

Over time, employees accumulate access to systems and files that may go well beyond what they actually need for their day-to-day work. When someone with legitimate credentials decides — or is coerced — to misuse that access, your firewall and email filters won’t stop them. They’re already inside.

This is what makes the insider threat one of the most difficult risks to manage, and one of the most commonly overlooked.

What Small Businesses Can Learn From This

The NSW Treasury incident ended well because the anomaly was detected before the damage became irreversible. For an SME, a breach of confidential commercial or financial data can be existential. The good news is that the principles that protected that government department are accessible to businesses of any size.

Limit access to what’s actually needed. Not everyone needs access to everything. Applying the Principle of Least Privilege — giving staff only the access required for their specific role — significantly reduces your exposure. Review permissions regularly, not just when someone joins or leaves.

Monitor for unusual behaviour, not just malicious files. Traditional antivirus looks for known threats. What you also need is visibility into how your data is moving. Large file transfers, access to folders outside someone’s normal activity, or syncing to external storage are all behaviours worth flagging. This kind of monitoring doesn’t require an enterprise budget — it requires the right configuration and someone paying attention.

Isolate devices that show signs of compromise. If a device starts behaving suspiciously, your systems should be able to cut it off from the rest of the network quickly. The faster you can contain unusual activity, the less damage it can do.

Build offboarding into your security process. As we’ve covered in a previous post, departing employees are a significant and often overlooked risk. Revoking access promptly and completely is one of the simplest things you can do to reduce insider threat exposure.

Know what you’re protecting and where it lives. You can’t monitor what you haven’t identified. A basic data inventory — understanding where your sensitive commercial, financial, and client information is stored and who can reach it — is the foundation of everything else.

The Broader Point

The NSW Treasury case is a useful reminder that security isn’t just about keeping outsiders out. It’s also about having enough visibility into your own environment to catch problems early, regardless of where they come from.

You don’t need a government-scale security team to achieve that. You need clear policies, appropriate access controls, and monitoring that gives you a realistic picture of what’s happening in your systems.

If you’re not sure where your gaps are, that’s a good place to start. Contact us to talk through a security review for your business.