Most Boards Have an Incident Response Plan They’ve Never Actually Tested
The NSW Treasury insider breach didn’t start with a hacker — it started with a staff member, valid credentials, and access controls a board had already approved. Over 5,600 sensitive documents moved across multiple departments before monitoring flagged anything. Most incident response plans are built for external attackers, leaving no framework for the harder question: when does a trusted employee doing normal work at abnormal scale become a security incident? Until boards treat insider preparedness as a design problem rather than a policy they sign off once, they’ll keep being surprised by threats already inside the building.
