Insider Threat
Insider threat is the misuse by a trusted person of privileged access to assets and operations. The trusted person’s actions may be unintentional or they may be intentional. In either instance the harm caused can be the same.
Organisations make a choice to grant trust to a person when they decide to employ them. But the pre-employment screening process is really a point-in-time security check which would reject candidates with any obvious security risk attributes. However, real risk occurs once a person is employed, is inside the organisation, and is often trusted by default. If an organisation does not have appropriate measures in place to observe and evaluate employees then they maximise the risk of insider threat activity.
This risk is often exacerbated where organisations rely heavily on initial screening and trust-based models, without implementing mechanisms for continuous monitoring of behaviour and access. In such environments, abnormal activity may go undetected because there is no established baseline against which to assess deviations.
Workplaces vary in terms of security culture. For example, in the Australian intelligence community there is a highly developed security culture and systems to identify behaviour that may indicate aberrant security behaviour. In many private sector entities, such as a clothing retailer, there will be little or no security culture beyond detecting petty theft of clothing.
Allegations of misconduct
In April 2026, numerous Australian media reported an apparent insider threat case in the New South Wales Director of Public Prosecutions (DPP).
The DPP will have a well-developed security culture steeped in the history of legal professional behaviours and conventions and also the sensitive high-stakes nature of its business.
Australian media has reported that one of DPP’s staff have been charged with six indictable offences. The alleged offences include three counts of misconduct in public office, two counts of accessing or modifying restricted computer data, and one count of hindering the discovery of evidence.
The alleged offences were made public in April 2026 upon the lifting of a suppression order of the police investigation which was undertaken in 2025.
NSW Police have alleged that the DPP lawyer “… failed to declare an inappropriate relationship”. This relationship is alleged to have enabled the lawyer to derive a material benefit from a criminal group, and knowingly dealing with crime proceedings with the intention of concealing it. The lawyer is alleged to have accessed hundreds of sensitive files.
Police will reportedly allege the lawyer had sexual relationships with multiple criminal inmates, including a convicted murderer who the lawyer represented.
The lawyer, Vanessa O’Bryan, was suspended without pay once the charges had been laid by police.
DPP response
In response to this incident the DPP has stated that the DPP is now “developing more stringent recruitment checks as well as ongoing checks on suitability throughout a person’s employment.” And further, that a “comprehensive review of its IT security system in consultation with external experts.”
These measures, while appropriate, reflect improvements to individual controls rather than the implementation of a comprehensive insider threat program. Effective insider threat programs integrate personnel security, behavioural monitoring, governance, and response mechanisms into a coordinated capability, rather than relying on isolated enhancements to recruitment or IT systems.
This insider threat incident comes in the wake of other reports of insider threat activity on the DPP, including allegations that a person in the DPP leaked information about an underage Indigenous offender. The information was leaked to a Sydney radio station which broadcast an unfavourable story about the offender being allowed to perform an Indigenous cultural ceremony in a NSW District Court hearing.
Conclusions
The alleged actions by the DPP lawyer are consistent with an intentional insider threat.
Insider threat activity is typically understood across three broad categories: malicious insiders, who intentionally cause harm; compromised insiders, who are coerced or influenced by external actors; and negligent insiders, whose actions create risk without intent. Based on the allegations reported, this case most closely aligns to a malicious insider, with elements that may also indicate compromise.
The lawyer was schooled in the law and its history of confidentiality, is intelligent enough to earn a law degree, was vetted for suitability by the DPP in pre-employment, will have been instructed by the DPP on required security behaviour and procedures, had been observed in the workplace, and being aged in their 30s is mature. From this collection of artefacts, it is reasonable to conclude that the lawyer knew what the required security behaviour was and chose to act in contravention of the expected security behaviour.
And that is the significant challenge posed by human-based sources of harm, by insider threats. People exercise their free will to act in a way that causes harm. Whether the person is being coerced, is working covertly for a third party such as a hostile nation or criminal group, is disgruntled, or is just careless the behaviour they choose to exercise in the workplace can cause harm.
In many cases, insider threat activity is preceded by observable behavioural indicators. These may include unexplained or excessive access to sensitive information, deviations from normal work patterns, failure to declare conflicts of interest or relationships, or boundary violations in professional conduct. Such indicators, when identified early, provide organisations with an opportunity to intervene before harm occurs.
Insider threat programs are designed to identify aberrant workplace behaviour. The DPP’s comments about the event causing the DPP to develop more stringent suitability checks during employment and review of IT systems are appropriate, but offered subsequent to harm being caused. An appropriate insider threat program would have addressed these vulnerabilities and likely detected the behaviour at an early stage, perhaps preventing such harms being inflicted on the DPP.
But it is not just the DPP as an organisation that has been harmed. The New South Wales DPP has been subject to numerous allegations of misconduct over the last few years which raises questions about workplace culture, which includes security culture. The lawyer’s alleged behaviour is evidence may indicate that the DPP’s security culture and personnel security program is underdeveloped, and that is a risk for all citizens relying on effective and trustworthy public prosecution services to enable the courts to mete out punishment to those people who cause harm to the community.
It is also important to recognise that organisations such as the DPP operate in inherently high-trust environments, where access to sensitive information is necessary to perform core functions. This creates a structural challenge in balancing operational effectiveness with the need for oversight and control.
Incidents such as this highlight the importance of moving beyond reactive responses, towards proactive identification and management of insider threats, supported by mature programs that integrate people, process, and technology.
