Access management remains a major problem at many Australian councils

Australia’s local government sector has long been complex and resource-constrained, particularly when it comes to sustaining investments in enabling capabilities such as cybersecurity. But overcoming security challenges is more important than ever.

Councils have a very large and diverse asset and operational base, comprising not just a municipal office, but also libraries, leisure centres, waste management facilities, depots and more. This typically means needing to run a wide variety of information and operational technology (IT/OT) systems at sites with varying network connectivity levels. The attack surface is broad and growing, as more aspects of operations and service delivery are digitised.

The sector faces annual scrutiny from auditors on the status and effectiveness of security controls tied to key systems — particularly to its finance and ERP systems, but also to systems and data more generally. These assessments take on an even broader significance in the AI era. As more councils adopt AI tools, in line with broader take-up trends in the public sector, there is a greater need for assurance around what systems and resources that AI has access to, and how these non-human identities are managed. Queensland is so far leading the way with its specific disclosure of ‘system and non-human accounts and permissions’-based challenge. We both anticipate and encourage more granular reporting on non-human identities and access management, given their ‘ghost in the machine’ status and growing role in being exploited by threat actors.

Overall, it’s pleasing to see a trend towards more detailed reporting of the specific weaknesses within the access management domain that councils are experiencing. This improved openness and information sharing is critical to helping the sector understand what steps it can make to elevate its capability and maturity, with a view to being able to counter an evolving threat landscape over time.

With that, let’s examine how each of the four states that regularly examine local government information security controls faired.

Western Australia

In WA, access management maturity has now fallen every year since 2021–22. This time, just 7% of the 15 local councils that had their access management maturity assessed in 2025 “met the [expected] benchmark”, according to the latest information systems audit. While this is partly due to an expansion of the assessment, growing from 11 to 15 councils, the auditor found progress among the base 11 councils on access management was either stagnant or in decline year-on-year.

A new feature of the most recent WA audit is that it drills into a lot of detail as to where the weaknesses in access management lie. It shows that “nearly one-third of the entities — 32% — lacked effective controls over administrator privileges, user activity monitoring or regular reviews of user access”, adding that “these weaknesses increase the likelihood of data breaches”. One in five councils has problems with user access provisioning and deprovisioning and with the setting and cycling of credentials.

New South Wales

The state’s most recent figures, covering 2024–25, found control weaknesses around system access at 71 councils (for context, there are 121 councils in the state). That led to a topline finding that “most councils had insufficient controls over user and privileged user access to systems”. On the specifics, the auditors pointed to problems with role-based access controls, including a failure to perform user access reviews, and with “gaps in restricting privileged users’ access and not monitoring their activity”. The auditor added that “weaknesses in granting, removing and monitoring user access to systems can lead to inappropriate and unauthorised system access, increasing the risk of fraud, cyber attacks and invalid transactions.”

Queensland

Almost 80% of deficiencies in information systems and security controls at Queensland councils relate to access management, according to the state’s most recent local government audit. Most deficiencies relate to controlling who can access which part of systems (35%), privileged accounts (21%), passwords and authentication (14%) and the management of system and non-human accounts and permissions (8.5%). Given the problems around system access, auditors highlighted several areas requiring attention. These include terminated accounts, dormant accounts, external or guest accounts, and accounts with privileged access that control who can make changes to the system. “When entities do not provide the appropriate access levels, they expose their data to unauthorised access and potentially to the risk of cyber attack,” the auditor said.

Victoria

In 2024–25, the state bucked a long-term trend in the number of councils with user access management-related control deficiencies. But while that number fell below 20 this past year, according to the audit, access management remained the largest problem of all IT control issues experienced at the local government level. “Effective IT controls reduce the risk of unauthorised access and changes to systems, fraud, error, data manipulation and information theft,” the audit stated.

Key takeaways

The progress in Victoria year-on-year, with fewer councils experiencing issues, shows that progress is possible and that with the solutions and platforms that are available now and with targeted investments, improvements are within reach. We’ve long observed this progress to be occurring behind the scenes with proactive local governments that have shown themselves to be ‘ahead of the game’ when it comes to addressing cybersecurity risks and embracing industry best-practice frameworks — such as the Essential Eight maturity model — to uplift their controls.

That being said, the picture painted on a national basis suggests there is still work to do when it comes to addressing access control challenges.

Paths to privilege remain the most critical risk exposure points for many councils. These paths enable attackers to gain footholds, compromise identities, escalate privileged access and move laterally to undermine infrastructure itself. Some paths are known, others are unknown and vulnerable — and they are everywhere.

In response, councils should take this opportunity to review their access management controls, and to either adopt or mature a privilege access management (PAM) system that is capable of holistic visibility, simplified management and intelligent protection against identity-based threats. By doing so, councils have the best chance of achieving high benchmarks when it comes to access control, raising their own and the collective security of the local government sector.

Image credit: iStock.com/da-kuk