You are sitting in your office. Nearby is a server running an application that is a disaster for security. No encryption, well-known password. But, well, its on a trusted network, and you trust your team, it should be fine, right?
Hmm. Later that day you find the contents of that server on a “Data For Sale Cheap” site and are updating your resume. What happened?
What should you do? Well, treat the things inside the firewall as no more (and no less) secure than things outside the firewall. Content-Security-Policy. TLS. No passwords. OpenID Connect. XSS headers. Patched. Up to date.