A new Nevada policy requires businesses to email confidential information to state officials, thus exposing businesses to a different level of hacking, according to a cybersecurity expert.
A digital forensic analyst at DiscoveryTechnician.com, Ira Victor, said the Nevada Department of Employment, Training and Rehabilitation’s (DETR) new mandate is that businesses must send information such as the salaries and Social Security numbers of employees through email. This new policy could create more risks then sending forms through the U.S. mail.
Officials with DETR are confident of the security of the information once it is entered into the data storage units. According to Victor, DETR should have done a risk assessment of the new policy before enforcing it.
Victor says, businesses take on a lot of risks. Employers have a right to be concerned about their privacy. Citizens of Nevada, employers and employees should be able to decide whether they feel safe with their systems being connected to the state or if the liability is too high. They should be able to choose to mail the forms or emailing them to DETR.
Internet requires a two-way connection and the state is only concerned with the security on its end, leaving businesses vulnerable, according to Victor. There needs to be a risk assessment completed for the entire transaction, not just one side. Victor suggested the 2019 state legislature look into the policy.
Before the policy was changed, businesses had the option to go online, if the data could be safely sent over the internet to the state, or they could print out the necessary forms and mail it to DETR, according to Victor.
This new policy has the potential to affect each employee and business in Nevada. Victor believes a larger risk assessment needs to be conducted and businesses should keep the status quo until it is complete.
Victor said, “In addiction (intervention), the first step is to recognize you have a problem. I don’t think they (state officials) have got to the first step yet. They are still at the state where they say, ‘We take security very seriously’…but they need to get to that first step of recognizing a problem and then we can start to tackle it.”
He recently attended a DETR hearing on the issue and offered his help in doing the complete risk assessments necessary to tackle the issue. So far, he said he has been ignored.
Senior DETR officials told Victor that they have limited resources and a tight budget, so the risk assessments cannot be completed. Victor told him to ask for help.
After the hearing, Victor spoke with one of the members of the legal team. He asked Victor if he would help on what the risk assessment would look like. Victor was willing, however, no one has followed up with him.
By Jeanette Smith
Las Vegas Sun: New policy could expose Nevada businesses to hackers, cybersecurity expert warns
Nevada Newsmakers: New DETR policy could expose Nevada businesses to new level of hacking, cyber-security expert warns