The physical security of agencies in New Zealand’s public sector is in a state of dangerous neglect, writes Robbie Jones, Wellington-based Enterprise Solutions Specialist at Wesco Anixter.
While digital threats dominate headlines, experts warn that New Zealand’s public sector is facing a quieter, more insidious crisis: a breakdown in the management of its physical electronic security systems.
From outdated access cards to mismanaged surveillance infrastructure, many government agencies are relying on aging, insecure technology to protect sensitive facilities—without the technical expertise needed to properly oversee it.
Old systems, new threats
Many government buildings still use legacy physical access control systems—platforms that are no longer updated or supported. These systems often have unpatched vulnerabilities and operate on outdated protocols, leaving backdoors into wider networks.
It’s not uncommon to find access panels with default passwords, surveillance systems exposed to the internet, or intruder alarms that haven’t been tested in years. The assumption that these systems “just work” has left them dangerously neglected.
Cards that can be cloned in seconds
Perhaps the most glaring issue is the continued use of 125kHz proximity cards to gain access to premises—a decades-old technology that can be cloned in seconds using inexpensive tools. With no encryption or authentication, they provide little resistance to anyone with malicious intent.
In many agencies, there’s no central control over who gets access cards or when they’re revoked. Lost or duplicated cards often go unnoticed, and even modern smart card systems are frequently misconfigured or paired with outdated readers.
The CIO conundrum
Responsibility for these systems often defaults to Chief Information Officers (CIOs), whose expertise lies in enterprise IT—not physical security.
“Most CIOs understand cloud infrastructure and software contracts, not the nuances of door controller protocols or access credential design,” says a security consultant familiar with the issue. As a result, crucial decisions are made without the depth of knowledge required—leaving vendors to design and deploy systems with little oversight.
No enforced national standards, no oversight
Unlike countries such as the US or the UK, where strict government security standards apply, New Zealand lacks a unified approach to physical security. Agencies are left to interpret requirements on their own or via a consultant with the same lack of knowledge due to the lead governing agency being critically understaffed.
All this is leading to inconsistent practices and vulnerable infrastructure, while also creating an “I know more than you culture” within government circles. Some in positions of influence have no place advising on what’s right or wrong with the government security space as they think they know more than they actually do—and this can cause a new set of issues.
Procurement by familiarity, not fitness
The problem is compounded by procurement practices that favour familiar vendors over functional solutions. Systems are often chosen based on historical use or existing relationships rather than what’s best suited to an agency’s needs.
This “vendor lock-in” stifles innovation, drives up long-term costs, and limits interoperability. Some agencies continue renewing outdated systems simply because they always have—even when better options exist.
Consultants: Cutting corners, not risk
Another blind spot is the heavy reliance on security consultants who may not fully understand the unique demands of government operations. Instead of tailoring solutions to each agency’s needs, many propose one-size-fits-all options that are quick to deliver but poorly suited to complex environments.
Typically, this means consultants picking security products based on ease or “that’s what they use” rather than capability. This leads agencies down a rabbit hole for the next guy to fix.
While electronic security needs to move at a quicker pace to keep up with IT, consultants also need to reeducate themselves on products that best suit the end user and not be led by manufacturers looking for a quick sale without the end user being front of mind.
These shortcut solutions often fall short in scalability, integration, and long-term resilience.
Call for reform
Many security practitioners I have talked to suggest that the solution may start with building internal capability. Government agencies need trained specialists who understand both cybersecurity and physical systems. They also suggest:
- Standardised security frameworks
- Regular audits and testing
- Open, interoperable systems
- Procurement reform focused on risk, not convenience
- Dedicated roles for physical security—not just CIOs
In today’s threat landscape, access control and CCTV systems aren’t just hardware—they’re networked technologies vulnerable to the same exploitation as any server or database. Without change, the weakest link in New Zealand’s national resilience may not be a firewall—but a door left unlocked by outdated tech.
Be the first to comment