Las Vegas Sun

September 18, 2018

Currently: 81° — Complete forecast

New policy could expose Nevada businesses to hackers, cybersecurity expert warns

Updated Tuesday, Sept. 11, 2018 | 12:27 p.m.

A new policy that requires Nevada businesses to send confidential information to state officials via a website could expose the businesses to a new level of hacking, a cybersecurity expert said on Nevada Newsmakers.

Ira Victor, a digital forensic analyst at DiscoveryTechnician.com, said the Nevada Department of Employment, Training and Rehabilitation’s new mandate that business send information such as employees’ salaries and Social Security numbers through its website could create more risks than sending it through the U.S. mail.

DETR officials said they are confident of the security of the information entered into its data storage units.

Victor said the DETR should have done a risk assessment of the new policy before putting it in force.

“Businesses have a lot of risks,” Victor said. “Employers are very concerned about their privacy. The citizens of Nevada, both the employees and the businesses, should be able to make the decision of whether they feel safe with their systems connecting with the state, or whether they feel the risk is too high, the liability is too high and instead, want to keep printing out the form and mailing the information to DETR.”

"An internet connection is two-way," Victor said. "Like a fax, there is a sender of a fax and a receiver of a fax. There is a sender of an email and a receiver of the email. To only look at the receiver's side, is actually, from a security perspective, negligent. You need to look at the complete connection and there should be a risk assessment made from the entire transaction. And the state, basically, they've not looked at that."

State officials don’t realize the vulnerabilities of their new mandate, Victor said. He suggested the 2019 Legislature look into the issue.

CORRECTION: This story has been corrected to reflect that the Department of Employment, Training and Rehabilitation is requiring information to be submitted via its website. | (September 11, 2018)