By Brian Graham – Senior Vice President, Enterprise Sales for North America
As we’ve seen by the numerous cyber attacks and data breaches in the news headlines, criminals today know that stealing personal data is as lucrative (or perhaps more lucrative) than stealing cash or goods. That’s because stolen payment card data and consumer’s personally identifiable information (PII) can be readily converted to cash when sold on the black market.
However, what you may not realize is that the freshness of the data is a critical component in determining the market price it will fetch on the dark web. When an enterprise data breach is discovered, the organization quickly begins initiating the mechanisms for both protecting the affected individuals from identity theft, as well as cancelling payment cards and issuing new ones. Thus, the stolen payment card numbers are no longer valid and the consumer’s identity is protected with a watch placed on lines of credit. The shelf life of stolen data is finite and growing shorter. If a criminal wants to convert the data to cash, quick action is required. As a result, cybercriminals want to get the largest volume of data in the smallest amount of time, in order to realize a profit before the data spoils on the shelf.
Cybercriminals are increasingly eyeing their targets with that strategy in mind, and as a result, seek to attack businesses during periods of rapid influx of information that is known to be both fresh and provide complete records. In the U.S., there is no better target than during the health insurance open enrollment period. Healthcare insurance records and data sets often provide the most complete records of a single individual in existence, and the move to electronic medical records has exacerbated the problem because so many more digital records now exist.
The health insurance open enrollment period in the U.S. presents criminals with huge opportunities to gain lucrative and exceptionally fresh records. During this period, vast amounts of data are exchanged through call and contact centers, online forms and questionnaires as consumers apply for different insurance plans and “shop around” for the best plans available to them.
Enterprises that deal with healthcare data, health insurance information and medical records must be extra vigilant during these time periods to safeguard and secure consumers’ sensitive personal data.
The PCI Security Standards Council often recommends to businesses “If you don’t need it, don’t store it.” Well, here at Semafone, we suggest going even further. First, don’t apply this maxim to just payment card data; apply it to all the sensitive data, including any customer PII that enters your organization. By using encryption, tokenization and virtual technologies properly, the enterprise can store gobbledygook that has no value for the attacker.
Second, even if you do need it, you don’t have to store it. We are fond of saying “They can’t hack what you don’t hold.” Enterprises can minimize risk by actually shielding the aspects of the business that take the information from the information itself. For example, when a customer calls in to the contact center, rather than having them share their PII with the call center agent, have the customer input the sensitive data using their telephone keypad. The data is routed to the payment gateway or a more secure server so it is never shared with the agent or even held in the call center infrastructure. This ensures that there is little to no possible spillover of the data to the unsecured or unmonitored areas of your business, reduces the number of individuals with access to the sensitive data, and reduces the potential for data breaches.