Colo. cities concerned, but officials don't lose sleep over cybersecurity By Tom McGhee The Denver Post
Curlie Matthews doesn't go to sleep worrying that computer systems he oversees for the city of Colorado Springs are vulnerable to hackers.
But Matthews, the city's chief information officer, and officials of other Colorado cities say an audit that found the state of Colorado's computer systems are at high risk of online attack raises concerns for them.
"That is an issue that we are constantly concerned with. We take every step that we possibly can to secure our environment," Matthews said Tuesday. "If I get a look at that audit and there are some things that we can improve, we will certainly do that because it is a constant battle to stay ahead."
The audit of state-run computers found that thousands of records containing Social Security numbers, birth dates and other confidential information could easily be compromised. "Overall," auditors wrote, "we determined that the state is at high risk of a system compromise and/or data breach by malicious individuals."
"It should be a concern to every business and every government entity," said Limon Town Manager Dave Stone. "It is rather scary."
Limon relies on an outside consultant to raise computer firewalls that protect sensitive information, Stone said.
"We have just the firewalls. Ours are pretty simplistic, which may be a concern too," he said.
Firewalls are effective, as long as there is a process in place to keep them secure, said Steven Foster, president of Business Controls, a risk-mitigation firm that provides training and other services. "You have to make sure you are current. You don't put a firewall in place and (think) you are good for eternity," he said.
No computer system is completely safe from a determined cyberpirate, said Troy Flick, Mesa County information technology manager. "The most secure system is the system that is still in the box."
Early this month, Mesa County fell victim to a security breach when an employee made an error that put secure law enforcement files and some people's personal information on the Web.
But that was an accident, and the county is taking steps to ensure it doesn't happen again.
The county relies on outside auditors who perform an annual review of its system's security, Flick said. Auditors scan the system and provide a list of recommendations and fixes needed to resolve any problems. "We go through that and resolve everything we can."
If a problem poses only a minor risk and fixing it would jeopardize delivery of a city service, no change is made, Flick said. "If it needs to be in place, we will say it is a business risk we are willing to take to provide that service."
Greeley also has an outside consultant who does routine audits on its system, said City Manager Roy Otto. "There are always issues that come up, but nothing has come up that is an immediate risk."
Security not cheap
State officials estimate it would take $40 million to implement an adequate cyber security plan for the state's computer systems.
That number makes Otto nervous. Could the state, already wrestling with sky-high budget shortfalls, make deeper cuts in order to secure its system that could hurt municipalities like his, he asks. "Will there be cuts further on? That was one of the first thoughts that ran through my head."
Business Controls' Foster thinks the estimate is far too high. "That seems like a ridiculous number to me," he said.
Arvada relies on outside consultants to audit its system periodically, said Arvada IT director Michele Hovet. Cybersecurity is so important that even when budget cuts are needed, Arvada doesn't trim the $25,000 a year it spends on security, Hovet said. "We keep up with new firewalls, new monitoring services and new tools. It is not a big line item, but it does allow us to do audits on the system."
Denver has a special security officer whose sole responsibility is to create policies and help form procedures to ensure that the system is secure, said Ann Williams, communications director for Mayor John Hickenlooper's office. "While any organization is vulnerable to security threats, we are following best practices in securing our environment. We are audited by the Denver Auditor's Office."
Boulder is mindful of the risks associated with hackers and government computer systems, Boulder spokeswoman Sarah Huntley said in an e-mail. Boulder "follows the best business practices in an attempt to safeguard the city's system against these types of issues."