Councils failing on cybersecurity – Government News
Councils failing on cybersecurity – Government News
https://www.governmentnews.com.au/councils-failing-on-cybersecurity/
Publish Date: 2026-06-16 01:33:00
Source Domain: www.governmentnews.com.au
Using an unordered list, summarize the following article with between 4 and 8 key points.
Local governments lack basic cybersecurity controls, an expert tells GN.
“Access management remains a major problem at many Australian councils,” says Scott Hesford, from global cybersecurity company BeyondTrust. And as more aspects of operations and service delivery become digitised, councils are leaving themselves vulnerable to attacks. “The attack surface is broad and growing,” says Hesford.
The local government sector faces annual scrutiny from auditors on the status and effectiveness of their security controls. “This improved openness and information sharing is critical to helping the sector to elevate its capability and maturity, with a view to being able to counter an evolving threat landscape over time,” says Hesford.
These assessments take on an even broader significance in the AI era, he adds. “As more councils adopt AI tools, in line with broader take-up trends in the public sector, there is a greater need for assurance around what systems and resources AI has access to, and how these non-human identities are managed.”
Scott Hesford (supplied)
Recent assessments show access management remains the most problematic of all IT control issues experienced at the local government level. “Auditors highlighted several areas requiring attention,” says Hesford. “These include terminated accounts, dormant accounts, external or guest accounts, and accounts with privileged access that control who can make changes to the system.”
While the audits reveal many security weaknesses, Hesford tells GN progress is possible. “With the solutions and platforms that are available now and with targeted investments, improvements are within reach,” he says.
Indeed, some Victorian councils have shown themselves to be ahead of the game when it comes to addressing cybersecurity risks and embracing best-practice frameworks to uplift their controls. “That being said, the picture painted on a national basis suggests there is still work to do when it comes to addressing access control challenges,” says Hesford.
Hidden or indirect routes that can be exploited to elevate access and compromise key systems remain the most critical exposure points for many councils. “These paths enable attackers to gain footholds, compromise identities, escalate privileged access, and move laterally to undermine infrastructure itself,” says Hesford. “Some paths are known, others are unknown and vulnerable. And they are everywhere.”
Hesford advises councils to review their access management, and to adopt or mature privilege access controls. “By doing so, councils have the best chance of raising their own security and the collective security of the local government sector.”
