CTF: The Threat Is Already Inside — What Do You Do?

Difficulty: Hard | Time: 25–35 min | Linked product: IRP Template ($47)

---

The Setup

You run a 22-person financial planning firm in Brisbane. Last Friday, a senior financial adviser — let's call him Marcus — gave his four weeks' notice. He's going to a competitor. He says it's about career growth. You wish him well.

On Monday, your IT provider does a routine offboarding check and notices something. In the six weeks before Marcus gave notice, his Microsoft 365 account ran 47 bulk export jobs from your CRM. The exports targeted the client list — 340 clients, with full financial profile data, contact details, and investment holdings. The files were saved to his OneDrive personal folder, and from there, shared via a personal Gmail account on his personal laptop.

You check with your compliance team: your employment contract has a non-solicitation clause, but it was drafted in 2018 and your legal counsel says it's "probably enforceable but not bulletproof." You check your data classification policy. You don't have one.

Marcus is still working his notice period. He's in the office today.

This is an insider threat scenario with legal, HR, and forensic dimensions happening simultaneously. What's your move?

---

The Challenge

---

Question 1 — Do you confront Marcus immediately?

Your first instinct is to call Marcus into your office and ask him directly. Before you do, consider:

• What happens to your forensic evidence trail if Marcus knows you're aware?
• Does confronting an employee about suspected data theft before involving legal counsel create legal exposure for your firm?
• Under Australian employment law, what process must you follow before taking any disciplinary or termination action?
• At what point (if any) does this become a matter for the Australian Federal Police?

---

Question 2 — Scope and evidence

You need to understand exactly what was taken before you can act. List the specific data sources you'd query to build a complete picture of what Marcus exported, when, and where it went. For each source, note whether it requires a third-party (Microsoft, Google) to produce the data, or whether you can pull it yourself.

---

Question 3 — The HR paradox

You have two conflicting pressures:

• Operational: You want Marcus out of the building immediately, access revoked, and his devices seized for forensic examination.
• Legal: Your employment lawyer says you cannot terminate without following a proper process, or you risk an unfair dismissal claim (even if he resigned — constructive dismissal rules can apply during a notice period if mishandled).

How do you resolve this tension? What interim measures can you take that protect evidence and reduce ongoing risk without triggering unlawful termination liability?

---

Question 4 — Client notification obligations

Your 340 clients' financial data — including investment holdings and personal financial profiles — has potentially been exfiltrated by a competitor. This is personal and potentially sensitive financial information.

• Does this trigger the Privacy Act NDB scheme?
• The data includes information that could be used to solicit clients away from you — is there a distinction between a financial harm to your clients and a commercial harm to your business in how you assess "serious harm"?
• What do you tell clients, and when?

---

Question 5 — Preventing the next one

This breach happened because:

1. No DLP (Data Loss Prevention) controls on bulk CRM exports
2. No data classification policy
3. Personal cloud storage (OneDrive → Gmail) was not blocked
4. No offboarding checklist that triggered access review when notice was given

Design a minimum viable insider threat control set for a 22-person firm with no dedicated IT staff. Maximum three controls. Each must cost under $50/month to implement.

---

Hints

Hint 1 (Q1): In Australia, the threshold for involving the AFP is "serious computer offence" under the Criminal Code Act 1995 (Cth) — unauthorised access to data, with aggravating factors of commercial gain. Exfiltrating client data to give to a competitor likely clears this bar. But filing a police report does not prevent you from also pursuing civil remedies. The sequence matters: legal counsel → evidence preservation → HR process → then decide on AFP referral.

Hint 2 (Q2): Microsoft 365 stores audit logs (unified audit log) for up to 90 days on a standard licence, or 1 year on E3/E5. You can pull these yourself via the compliance portal or PowerShell. OneDrive sharing activity is in the same log. Gmail activity (what Marcus sent from his personal account) is not accessible to you — that would require a court order or AFP involvement.

Hint 3 (Q3): The interim measure that resolves the HR paradox is suspension on full pay pending investigation. It's lawful, it's temporary, and it gets Marcus out of the building while your investigation proceeds. You can also revoke system access during a suspension — in fact, you should, framing it as "standard procedure during any investigation." Do not frame it as punishment.

Hint 4 (Q4): Financial planning client data is typically "sensitive information" under the Privacy Act because it relates to financial affairs and, depending on content, health or family circumstances. The OAIC's guidance on serious harm explicitly includes misuse of information for financial gain. "My competitor might steal your clients" is not how you notify — but "your financial profile information may have been accessed by an unauthorised party" is.

Hint 5 (Q5): Think about what you can enforce at the Microsoft 365 layer without additional software, what your CRM platform natively supports for export controls, and what a proper offboarding checklist achieves that no technology can replace.

---

Reveal: Full Answer to Question 3

Resolving the HR paradox:

The key insight is that investigation and termination are different events, and you only need to have the process right for the second one.

Step 1: Suspend on full pay, effective immediately

Contact your employment lawyer today and issue a formal letter of suspension on full pay, citing "an ongoing investigation into potential misuse of company systems." This is lawful under the Fair Work Act 2009 (Cth) — suspension during a legitimate investigation is not termination and does not trigger unfair dismissal protections.

The letter should:

• State that suspension is temporary and paid
• Direct Marcus not to attend the office or contact clients during the suspension
• Direct him to make himself available for interview as part of the investigation
• Confirm that his employment contract obligations (including confidentiality) remain in force

Step 2: Revoke system access simultaneously

Revoke Marcus's M365 access, CRM access, and VPN at the same time the suspension letter is issued. Frame this in the letter as "standard procedure during any investigation to ensure the integrity of evidence." This is defensible — you're not punishing him, you're preserving evidence.

Step 3: Seize his company device

His company laptop should be collected by IT immediately. This is straightforward — it's company property. Do not ask Marcus to hand over his personal device — you have no legal right to it. The personal device question is one for the AFP if you go that route.

Step 4: Do not interview Marcus without your lawyer present

Any interview of a suspected data thief that produces admissions can be evidence in civil or criminal proceedings. If those admissions were obtained improperly (coercive, without representation, without proper caution), they may be inadmissible. Have your lawyer on the phone or in the room.

Step 5: Document everything

From the moment you learned about the exports, log every action with timestamps. This becomes your evidence chain of custody for any future litigation or police referral.

The HR paradox resolves when you realise: you don't need to fire Marcus today. You need to contain the situation today, and investigate it properly so that when you do take action — termination for cause, civil proceedings, AFP referral — it's airtight.

---

Get the Full Answer Key

You've seen one answer in detail. The remaining questions — on evidence scoping, client notification obligations, AFP referral thresholds, and building an insider threat control set on a tight budget — are covered in the Incident Response Plan Template for SMBs.

The template includes:

• Insider threat IR playbook with HR/legal sequencing built in
• Evidence preservation steps for M365, OneDrive, and CRM platforms
• NDB assessment checklist for data exfiltration scenarios
• Offboarding security checklist (the single best preventive control for insider threat)
• Client notification template for Privacy Act-compliant disclosure

Get the IRP Template for $47 → lil.business/products/incident-response-plan-template

Or buy via Polar: https://buy.polar.sh/polar_cl_G95ZMX6xnZpa7JuXj1AROgffKr1aL0JDmJ2KU1rHJ84

---

Scenario is fictionalised. Legal references are to Australian federal law. This post is educational and not legal advice — engage a qualified employment lawyer before taking action in a real scenario.