Insider threats from departing staff are skyrocketing among Australian SMBs, with data exfiltration incidents up 30% in 2026. In a recent Perth case we handled at ITsupportperth, a disgruntled employee turned a routine firing into a potential disaster—highlighting why proper monitoring is non-negotiable for teams under 50.
The Incident Unfolds
It started on a typical Friday afternoon in a mid-sized Perth accounting firm (details anonymized for privacy). The employee, let go for repeated performance issues, had full access to their Microsoft 365 environment, including SharePoint libraries packed with client financials, contracts, and proprietary spreadsheets.
Before IT could revoke access—delayed by end-of-week chaos—he initiated massive downloads: 200GB of data transferred to external drives and emailed in bulk to his personal Gmail and OneDrive accounts. This mirrored patterns seen in real cases, like a law firm employee sending attachments to personal email on their last day, exposing sensitive info without detection.
The firm discovered suspicious activity only post-exit, via a routine log review, but poor setup meant no real-time alerts or forensic trails.
The Fallout: Chaos Without Controls
Without Data Loss Prevention (DLP) policies or user behavior analytics:
No tracking: They couldn't pinpoint exactly which files left—IP logs were incomplete, and SharePoint auditing wasn't enabled for bulk actions.
Exposure risks: Data could resurface with competitors or on dark web markets; ransomware groups love stolen SMB intel.
Recovery nightmare: Legal teams scrambled for e-discovery, but fragmented logs made it impossible to prove breach scope, delaying insurance claims.
Cost hit: Estimated $150K+ in forensics, notifications, and lost productivity—common for SMBs hit by insiders.
This echoes global stories, like sysadmins reporting fired staff wiping company files before deactivation, often undetectable without proactive tools.
Our Solution: Microsoft Purview DLP in Action
We deployed a tailored Microsoft Purview setup—zero downtime, fully managed:
Risky behavior alerts: Real-time notifications for mass downloads (>50GB), external shares, or unusual Friday PM activity.
Content scanning: Auto-blocks or quarantines sensitive data (e.g., passports, financials) heading to personal clouds via regex and ML classifiers.
Session controls: Entra ID policies limit offboarding access to read-only in minutes.
Forensics dashboard: Unified logs across SharePoint, Teams, and email for instant audits.
We configured policies via Intune, trained two staff, and integrated with their existing M365 E3 license—no new hardware needed. Now, a 200GB dump triggers auto-lockout and executive alerts.
Key Lessons for Perth SMBs
Ransomware targets SMBs like yours because 43% lack insider controls. Free gov resources exist, but they don't scale for daily ops.
Protect Your Team Today
Don't wait for a Friday fiasco. call us today for a free DLP audit.



