Realistically there's probably not much of a security issue there. Running the site using HTTPS doesn't in of itself make any difference to the security of the website, it provides security in relation to the connection from the user to the intended server.
The TLS/SSL part of HTTPS (or any other protocol that uses it) essentially provides two things. 1) A secure tunnel between the client and the server, so that any communication between the two can't be intercepted on route, for instance when using public wifi. 2) Confirmation when you connect to www.foo.com that it really is www.foo.com, and someone hasn't managed to redirect your request to a malicious server.
Taken in that context, when you're talking about your local internal network, especially if you're using a wired network, then the risk becomes whether someone with access to your network could set something up to snoop on your network traffic to the web server, or poison the local DNS to send the server to someone else. Neither of which are impossible, but, if someone HAS somehow compromised your network (either physically, or via a compromised device) such that they could do either of those things, then you have much larger issues to worry about than traffic to a web server being compromised.
However, while there's not much of a security issue, depending on how that backend application is accessed, and who it's accessed by, it could be a useability issue. Most browswers will complain at you if you try to connect to a website that isn't HTTPS secured, and some simply won't let you connect or make it hard to work around. Fine if it's just some kind of admin UI, but more of an issue if it's widely used by non-technical staff.
