Scott Hesford, director of Solutions Engineer Asia Pacific at BeyondTrust, has called on local governments to step up on access control as Australia continues to face significant security challenges.
Hesford noted state auditors' desktop review of annual local government reports, highlighting key areas that must be urgently addressed, including access controls and privileged user account monitoring and management.
“These are crucial areas because, without good system and data access and change permissions, it is hard to identify instances of misuse or abuse, and even harder to mitigate against these threats,” he said, as reported by Government News.
The recent audit found a lack of periodic user access review – designed to ensure that users' access to key IT systems was “appropriate and commensurate with their roles and responsibilities” – at 42 councils. It also found insufficient control over privileged users at 73 councils, compared to 68 last year, including gaps in restricting privileged users or monitoring the privileged accounts' activity logs.
The audit found “prevalent” information system control weaknesses across the sector – the most common being related to incorrect levels of system access assigned to staff.
It advised councils to ensure that their staff have an appropriate level of access to information systems to perform their role in the organisation, regularly review user access to ensure that it remains appropriate, and monitor the activities of employees with privileged access.
The audit emphasised the concerning rise in IT control deficiencies across the sector, with the number of user access management-related control deficiencies rising significantly in the past year and every year for the past three years.
The audit found 11 local government entities where access to the financial management, payroll, and human resources systems was available to appropriate staff.
“In some instances, we considered more staff than necessary had passwords to access key systems,” it said, as reported by Government News.
Hesford said conducting an access review at least once a year is needed to improve access control and privileged user account management because it can:
He added that increasing maturity with the Essential Eight might help when restricting admin privileges, application control, and user application hardening. Councils should also adopt Privilege Access Management (PAM) technology and consider endpoint controls that enable fine-grained delegation of administration.
The review's results were released after security giant Sophos' report warned Australian organisations to prepare for a more hostile cyber environment in 2023.
