DENVER — The Denver City Council may be putting the city at greater risk of cyberattacks, according to a new report by the Denver Auditor’s Office.
The audit office looked at how the city council and its staff used, managed and tracked technology over the past few years.
They found that equipment inventories were “incomplete, inconsistent and incorrect,” potentially making it easier for city devices to fall into the wrong hands.
“When we looked at the City Council’s technology asset inventory and compared it to the inventory tracked by the City’s technology services agency, we found that 43 Dell, Microsoft and Apple products were missing from the City Council’s inventory report,” the report said . “We also discovered that some councilors may have purchased devices such as Microsoft Surface Pros and Apple iPads without notifying Technology Services. If inventory is not accurately tracked and managed, assets can be lost or devices can create cybersecurity risks due to missing security patches.”
Audit: Denver City Council’s technology practices could expose city to cyberattacks
The audit also found that some council members and staff did not complete the city’s cybersecurity training, as other city employees are required to do.
The audit said Technology Services, the city department that oversees the city’s IT infrastructure, struggled to effectively enforce policies with the city council.
“As an independent agency, the City Council is free from control by City Hall and city agencies under the direction of the Mayor. But city council members and their staff still use city systems and are just as accountable to the public,” the audit said.
At a meeting about the auditor’s findings last Thursday, Denver City Council President Jamie Torres tried to provide some context to the findings.
She pointed out, for example, that the pandemic forcing employees to work from home has made tracking devices more challenging.
“For my office, in particular, my entire team got rid of their CPU and just worked with a laptop. It happened at 13 [council district] offices differently,” Torres said.
Council chiefs also said the number of staff receiving cyber security training had increased but was not at 100 per cent, according to the auditor’s report.
During its presentation, the auditor’s office cited an estimate that a cyberattack in Denver could cost the city $5.3 million a day.
The audit also found the council needs to do a better job of tracking city credit card purchases.
In a statement, the council said it welcomed Denver’s audit report.
“The Denver City Council welcomes the recent report of the Denver Auditor and the opportunity to further refine and strengthen our internal processes,” the city council said in a statement. “From January 2022, the council’s central operations added a variety of specialist staff, including the council’s first human resources manager, communications specialist and fiscal administrator. These new positions have been actively involved in building infrastructure through the development of policies and procedures. As a result, many of the issues identified were already under review and were being actively addressed during the audit period.”
The City Council agreed with 14 of the auditor’s recommendations.
“I am pleased that we have finally been able to conduct this audit,” said Auditor Timothy O’Brien. “The council’s full agreement with our recommendations demonstrates the common sense and productive nature of the results.”
To read the full report, click here.
The follow up
What do you want Denver7 to track? Have a story, topic, or issue you’d like us to revisit? Let us know with the contact form below.