Local government needs to step up on access control

A desktop review of council audits shows the local government sector faces significant security challenges, writes Scott Hesford.

Scott Hesford

Australia has reached a heightened state of alert when it comes to security after a back half of 2022 punctuated by a series of high-profile data breaches.

While these largely did not target nor impact the local government sector, there have long been concerns that the sector is particularly susceptible to attacks.

A desktop review of annual local government reports by state auditors highlights key areas that need to be urgently addressed. While not all states and territories publish an audit of local government annual reports each year, at least four do.

It is apparent that the findings are indicative of broader trends in the sector, particularly around access controls and privileged user account monitoring and management.

These are crucial areas because without good system and data access and change permissions, it is hard to identify instances of misuse or abuse, and even harder to mitigate against these threats.

As NSW’s audit office explains: “Where robust access management processes are not in place, inappropriate access may exist. This increases the risk of unauthorised transactions or modification of sensitive data and transactions.”

Key themes

The most recent NSW audit uncovered a lack of periodic user access review at 42 councils, an activity designed to ensure users’ access to key IT systems were “appropriate and commensurate with their roles and responsibilities.”

The audit found insufficient control over privileged users at 73 councils, compared to 68 last year, including gaps in restriction of privileged users or monitoring of the privileged accounts’ activity logs.

Queensland’s audit office found “prevalent” information system control weaknesses across the sector, of which the most common were in relation to incorrect levels of system access assigned to staff. “Councils should ensure their staff have an appropriate level of access to information systems to perform their role within the organisation, but no more than that,” the audit said.

Councils should ensure their staff have an appropriate level of access to information systems to perform their role within the organisation, but no more than that.

Queensland Audit Office

It also recommended councils regularly review user access to ensure it remains appropriate and monitor activities by employees with privileged access.

Victoria also outlined its concern at the significant rise in what it said were IT control deficiencies across the sector. The number of user access management-related control deficiencies rose sharply in the past year, and has risen every year for the past three years. Privileged access controls remain as problematic as they were three years ago.

In WA, the state audit office found 11 local government entities where access to the financial management, payroll and human resources systems was not restricted to appropriate staff.

“In some instances, we considered more staff than necessary had passwords to access key systems,” it said.

There were also instances where “no formal policy or procedure [existed] to remove user access on termination of staff”; and a lack of review of user access privileges.

The takeout

The first thing to make clear is that these problems affect some – but not all – Australian councils. A number of proactive local governments that have shown themselves to be ‘ahead of the game’ when it comes to addressing cybersecurity risks and embracing industry best-practice – such as the Australian Cyber Security Centre’s Essential Eight maturity model – to uplift their controls.

For councils that are struggling with security challenges, there are often multiple signs that point to relative immaturity in the space, and that put their access control and privilege user problems into perspective.

The NSW and Queensland experience is instructive here:

● NSW found that 39% of councils have not established a formal cybersecurity role or responsibilities, so they lack strategic oversight, and just under half (46%) don’t have a formal cybersecurity policy.

● Queensland found 20 councils that had not provided mandatory cyber security awareness training for all staff.

What’s clear is that there are councils that lack basic security structures that many organisations take for granted. It is likely that many of these councils have difficulty identifying, prioritising and budgeting their myriad of security challenges, making it hard to progress year-on-year.

What’s clear is that there are councils that lack basic security structures that many organisations take for granted.

To improve access control and privileged user account management, an access review at least once a year is advisable.

Among other things, these review exercises can identify who has access to what and whether that access is needed; and uncover instances of privilege creep, where people continue to accumulate privileges or system access as they change jobs internally. However, annual reviews can be time-consuming and costly if they aren’t automated.

As mentioned, some councils have found that increasing their maturity with the Essential Eight can also help, especially when it comes to restricting admin privileges, application control and user application hardening.

Technology can really help to create and manage appropriate user access and permissions. Councils should work to adopt Privilege Access Management (PAM) technology that is capable of securing every privileged user, asset, and session, that can automatically discover and onboard all privileged accounts, secure access to privileged credentials and secrets, and audit all privileged activities.

In addition, councils should consider endpoint controls that enable fine grained delegation of administration to remove the use of high risk local administrative accounts along with application control to monitor and block unwanted applications.

With broader adoption of these kinds of capabilities, councils have a better prospect of moving the needle on access control, shrinking their threat landscape, and steering clear of being caught in an auditor’s crosshairs.

*Scott Hesford is Director, Solutions Engineering Asia Pacific at BeyondTrust

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required