News - September 5, 2018 - by Ray Hagar
Note: Corrections have been made to this story to show that that business must send sensitive information to DETR via the DETR website, not e-mail.
By Ray Hagar
A new policy that requires Nevada businesses to send confidential information to state officials through the internet could expose the businesses to a new level of hacking, a cyber-security expert said on Nevada Newsmakers.
Ira Victor, a digital forensic analyst at DiscoveryTechnician.com, said the Nevada Department of Employment, Training and Rehabilitation's new mandate that business must send information such as employees' salaries and social security numbers via the DETR website -- could create more risks then sending them through the U.S. mail.
Victor said the Department of Employment, Training and Rehabilitation (DETR) should have done a "risk assessment" of the new policy before putting it in force.
"Businesses have a lot of risks," Victor said. "Employers are very concerned about their privacy. The citizens of Nevada, both the employees and the businesses, should be able to make the decision of whether they feel safe with their systems connecting with the state, or whether they feel the risk is too high, the liability is too high and instead, want to keep printing out the form and mailing the information to DETR."
Internet connections require a two-way connection -- between the businesses and the state -- but the state seems only concerned about the security on their side, leaving business vulnerable, Victor said.
"An internet connection is two ways. Like a FAX, right? There is a sender of a FAX and a receiver of a FAX. There is a sender of an e-mail and a receiver of an e-mail," he said. "To only look at the receiver's side, is actually, from a security perspective, negligent. You need to look at the complete connection and there should be a risk assessment made from the entire transaction. And the state, basically, has not looked at that.
"Before this ruling was changed, the history has been that business can either go online if they feel the data can be safely sent online to the state or they can print out a form and mail it in to DETR," Victor said.
State officials don't realize the vulnerabilities of their new mandate, Victor said. He suggested the 2019 Legislature look into the issue.
"This potentially affects every single employee and business in Nevada," he said. "I think we should take a step back, do a bigger picture risk assessment and in the meantime, let's keep the status quo."
Sending the sensitive information through the mail is safer than sending through the DETR website unless cyber-criminals mug the person who is taking it at the DETR office, Victor joked.
"If you did a risk assessment, it might turn out that it is safer to fill out that form and mail it in," he said.
DETR officials said they are confident of the security of the business information once it is entered into their data storage units. Victor, however, said he is not impressed with Nevada's state government's system of cyber-security.
"In addiction (intervention), the first step is to recognize you have a problem," Victor said. "I don't think they (state officials) have got to the first step yet. They are still at the stage where they say, 'We take security very seriously... but they need to get to that first step of recognizing a problem and then we can start to tackle it.
"Victor said he recently attended a DETR hearing on the issue and that he offered his help in doing a complete risk assessments on the issue. So far, he has been ignored.
"The senior (DETR) officials after the hearing said, 'We have limited budget and resources, we can't do that.' (I said), ' Well then, ask for help.'
"After the hearing, I spoke with one of the legal staff members at DETR and they said, 'We'll take this under advisement but Ira, if we need some help on what this risk assessment would look like, would you help? I said 'Yes, lets do it.'
"They have not followed up," Victor said. "They didn't take advantage of that opportunity."