DENVER — The Denver City Council could be putting the city at greater risk for cyberattacks, according to a new report from the Denver Auditor's Office.
The auditor’s office looked at how the city council and its staff used, managed, and tracked technology over the last few years.
They found equipment inventories were "incomplete, inconsistent, and incorrect,” potentially making it easier for city-owned devices to fall into the wrong hands.
“When we looked at the City Council’s technology asset inventory and compared it to the inventory tracked by the city’s Technology services agency, we found the City Council’s inventory report was missing 43 Dell, Microsoft, and Apple products,” the report read. “We also found some council members may have purchased devices like Microsoft Surface Pros and Apple iPads without letting Technology Services know. If inventory is not accurately tracked and managed, assets could be lost, or devices could create cybersecurity risks due to missing security patches.”
The audit also found some council members and staff were not completing the city’s cybersecurity training as other city employees are required to do.
The audit said Technology Services, the city department that oversees the city’s IT infrastructure, struggled to effectively enforce policies with the city council.
“As an independent agency, the City Council is exempt from control by the Mayor’s Office and city agencies under the mayor. But City Council members and their staff still use city systems and are just as accountable to the public,” the audit said.
At a meeting on the auditor’s findings last Thursday, Denver City Council president Jamie Torres sought to provide some context to the findings.
She pointed out, for instance, that the pandemic forcing employees to work from home made tracking devices more challenging.
"For my office, in particular, all of my team got rid of their central processing unit and operated just with a laptop. That happened across 13 [council district] offices differently,” Torres said.
Council leaders also pointed out that the number of employees who had completed the cybersecurity training had increased, though it was not at 100%, according to the auditor’s report.
During their presentation, the auditor’s office cited an estimate that a cyberattack in Denver could cost the city $5.3 million per day.
The audit also found the council needs to do a better job tracking purchases on city credit cards.
In a statement, the council said it welcomed the Denver auditor's report.
“The Denver City Council welcomes the Denver auditor's recent report and the opportunity to further refine and strengthen our internal processes,” the city council’s statement said. “Since January 2022, the council’s central operations has added a variety of specialized staff, including the council’s first human resources manager, communications specialist, and fiscal administrator. These new positions have been actively engaged in building infrastructure through the development of policies and procedures. As a result, many of the identified issues were already under our review and actively being addressed during the audit period. We agree with the value of the audit observations and thank the audit team for its work. Our dedication to operating with efficiency, transparency, and accountability remains unwavering for the benefit of the City and County of Denver and its residents."
The city council agreed with 14 recommendations from the auditor.
“I’m glad we were finally able to conduct this audit,” Auditor Timothy O’Brien said. “The council’s complete agreement with our recommendations shows the common sense and productive nature of the results.”
To read the full report, click here.