You are sitting in your office. Nearby is a server running an application that is a disaster for security. No encryption, well-known password. But, well, its on a trusted network, and you trust your team, it should be fine, right?
Hmm. Later that day you find the contents of that server on a “Data For Sale Cheap” site and are updating your resume. What happened?
Well, it turns out you didn’t subscribe to the principle of Defence In Depth. You assumed the firewall prevented inbound badness, which it kind of did. But, you, or a colleague, your browser loaded some JavaScript, perhaps from advertising, perhaps from a site with a weakness. That JavaScript came through the firewall and then turned around and talked directly to this site.
Think its impossible? Well, a few years ago various home routers got compromised using this exact technique. The weakness was in UPNP, in you not changing the password. The JavaScript on your desktop changed the DNS on the router, and, then, all your traffic is belong to us.
What should you do? Well, treat the things inside the firewall as no more (and no less) secure than things outside the firewall. Content-Security-Policy. TLS. No passwords. OpenID Connect. XSS headers. Patched. Up to date.