Phishing Follow-up

A photo of a fishing hook trying to snag credit cards and social security numbers that are sitting on a laptop keyboard.

The Office of Human Resources fully implemented the one recommendation we made to it in the original audit report. Meanwhile, Technology Services fully implemented three recommendations, but it has not taken steps to address the risks the three remaining recommendations had sought to resolve.

By fully implementing four recommendations, the city is conducting phishing simulations and offering similar cybersecurity awareness trainings to the employees who need it most. These trainings will help make users of city systems aware of risks when clicking a link from a malicious email and deter them from doing so.

Graphic showing four implemented recommendations, no partials, and three not implemented.

Remaining Risks

The three recommendations Technology Services did not implement present several lingering risks. Among them:

  • By not developing key phishing metrics — such as reconciling who has completed trainings, monitoring click rates, and identifying targeted agencies — the city remains vulnerable to cyber threats. And it lacks standard performance indicators to make informed decisions.
  • Not communicating phishing metrics to other city agencies limits the city’s ability to collectively share knowledge about which agencies are more vulnerable to cyber threats. This weakens the overall security defenses of the city.

Auditor's Letter

March 7, 2024

In keeping with generally accepted government auditing standards and Auditor’s Office policy, as authorized by city ordinance, we have a responsibility to monitor and follow up on audit recommendations to ensure city agencies address audit findings through appropriate corrective action and to aid us in planning future audits.

In April 2021, we audited the City and County of Denver’s phishing defenses and found risks involving which employees should be required to complete cybersecurity awareness trainings and how the Technology Services agency communicates phishing metrics to other agencies. Technology Services and the Office of Human Resources agreed to implement all seven of our recommendations.

We recently followed up on our original report and found the Office of Human Resources fully implemented its one recommendation, while Technology Services fully implemented only three recommendations and the three others remain not implemented.

Although Technology Services has made some progress, it did not fully address all the risks associated with our original findings. Consequently, we may revisit these risk areas in future audits to ensure the city takes appropriate corrective action.

We appreciate the leaders and team members at Technology Services and the Office of Human Resources who shared their time and knowledge with us throughout the audit and the follow-up process. Please contact me at 720-913-5000 with any questions.

Denver Auditor's Office

Auditor's Signature
Timothy O'Brien, CPA


Timothy O'Brien Official Headshot

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor


Denver Auditor's Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter

Auditors Office Logos for Footer: Denver Auditor, Denver Labor