The city of Denver’s agencies do not always follow the rules and safeguards for buying technology, such as computers and software, potentially exposing the city to higher security risks, such ransom demands, Denver’s auditor outlined in a new report.

“Cybersecurity is a top priority citywide,” Denver Auditor Timothy O’Brien said in a statement. “Protecting city and resident data must be top of mind for individuals, agencies, and the highest city leadership.”

He added, “There is a lot of potential for something to go wrong here. It’s in all of our best interest to have a properly functioning technology system.”

New laws set to vault Colorado up gun safety rankings | 2023 LEGISLATIVE SESSION

Denver auditors had looked into how the city’s Technology Services unit, which is tasked with reviewing and approving “all acquisitions of technology,” administers and communicates requirements to city leaders and staffers about buying technology services and equipment.

The auditors concluded that, while Technology Services actually has had better control over devices used on the city’s network since 2021, a lot more needs to be done to tighten possible access points to the city’s network.

Specifically, auditors said an executive order prohibits technology purchases using a “purchase card,” but city agencies have violated that rule. Indeed, the auditors found that almost all agencies and departments use purchase cards – credit cards issued to certain employees for purchases under $2,000 – or via expense reimbursement process to bypass the required approvals for such transactions.

It is crucial for the Technology Services unit to review any new technology connected to the network to avoid security vulnerabilities that could then be exploited by “bad actors,” which could lead to, among other things, losing data or services to the public, the auditor said. 

A look at the top 12 issues in Colorado’s 2023 legislative session

“Not obtaining prior approval and bypassing the approval process exposes the city to several risks – including security vulnerabilities and incompatible equipment or software, data protection and privacy concerns, and missed opportunities to save taxpayer dollars using bulk-discount pricing,” the auditor’s office said in a statement. 

The risks are real – and costly. 

Cities and states across America have come under cyberattacks – with increasing severity and regularity – in the last few years.

Comparitech, a company that reviews cybersecurity tools, said America faced nearly 2,000 ransomware attacks since 2018, with the average ransom demand at nearly $2 million. These attacks, the company said, have so far cost healthcare organizations $20.8 billion, schools and colleges $3.6 billion, governments $18.9 billion, and businesses $20.9 billion.

Last year, an “anonymous suspected foreign actor” attacked the state-run Colorado.gov portal homepage offline and targeted multiple other state government websites across the U.S.

Supervised drug consumption site unlikely in Denver’s near future

In its report, Denver auditors said the Technology Services unit has taken steps to protect against these risks, including using a security tool that detects when technology is added to the city’s network. The agency also can shut down unauthorized hardware and software, and restrict access to websites used for cloud services, auditors said. 

But they added that, if the use of purchase cards is unavoidable in some cases, the city should have a clear policy and procedure for using them. 

The auditors also recommended that Technology Services create clear definitions for what constitutes a “technology purchase” and educate city employees about which purchases need its approval.

The Technology Services unit agreed with all of the auditors’ recommendations.