As a broader swath of personal and credit data is collected for analysis and sales enablement, businesses are taking on a level of responsibility and risk that is unprecedented in the history of commerce.
As evidenced by the cyberattacks and data breaches in the headlines, criminals now find stealing your data as lucrative as stealing your cash or your inventory — or even more so.
Protecting what we have, but also what our organization knows, is a tricky business. Cybercriminals have shown an amazing propensity to adapt and evolve. While we can no longer rely on signature-based protection from attack, there is an opportunity to mitigate risk by looking at historical precedent and conducting an effective risk analysis in the business.
When it comes to an attack that seeks payment card or personal data that can readily be converted to cash, there is a risk commonality that is often overlooked. Thinking like a criminal can help identify it.
As fraud prevention measures and forensic analysis of attacks become more commonplace, the volume and type of data stolen are being identified faster than ever before. While the average data breach still persists for more than six months, once discovered, the mechanisms for protecting against both identity theft, as well as payment card fraud are quickly enabled. Thus, the payment card numbers are no longer valid and the identity is protected with a watch placed on lines of credit. The shelf life of this data is finite and growing shorter. If a criminal wants to convert the data to cash, quick action is required.
In fact, prices on the dark web, black markets and carder forums are greatly influenced by the freshness of the data. Fullz (complete identity records) and the freshness of the data actually set the market rate for this information, with increased value both perceived and realized for fresh records.
The criminal wants to get the largest volume of data in the smallest amount of time in order to realize a profit before the data spoils on the shelf. Our conclusion therefore is that criminals want to attack a business during periods of rapid influx of information.
Think about it: How many payment card data breaches have you heard about right after the completion of the biggest shopping months of the year? It isn’t just coincidence that we learn about many of these in January.
Black Friday scams and tax season swindles are routinely perpetuated because the influx of “fresh” data is so appealing and rewarding for the criminals.
In recent years, health care and insurance records have been an outsized target of criminals because the data sets are often the most complete records of a single individual in existence. The movement to electronic health care records has exacerbated the problem, because so many more digital records now exist.
If you accept the theory that there is an opportunity to mitigate risk by looking at historical precedent, we should pair what we know about criminal attacks (the desire for complete records) and other industries’ breach trends (frequent attacks during periods of high data record influx) and ask ourselves, what circumstances in health care and insurance mimic this precedent?
I’m sure you have arrived at the same answer I did: open enrollment periods.
Insurance open enrollment presents huge opportunities for the bad guys to gain lucrative and exceptionally fresh records. Vast amounts of data are exchanged through call and contact centers, online forms and questionnaires. We know with a great deal of certainty that these periods are likely to see an increase in attacks. We must be vigilant during these episodes to safeguard and secure the data in a manner in which our customers expect.
We’ve heard the PCI Security Standards Council suggest that, “If you don’t need it, don’t store it.” We would suggest going even further. First, don’t just hold this maxim to payment card data; apply it to all the sensitive data, including any personally identifiable information (PII), that you encounter.
Second, even if you need it, don’t store it. We are fond of saying, “You can’t hack what you don’t hold.” There are plenty of ways (via both technology and process) in which you can minimize the risk to that data by not actually storing it. Instead, using encryption, tokenization and virtual technologies properly, you store a bunch of gobbledygook that has no value for the attacker.
Even better, you can minimize your risk by actually shielding the aspects of your business that take the information from the information itself. For example, it is possible to keep a customer on the line with a contact center agent, while the caller inputs the sensitive data into their phone. The information is routed to the payment gateway or a more secure server so it is never shared with the agent or even held in the call center infrastructure. Business is conducted effectively, yet there is little to no possible spillover of the data to unsecured or unmonitored areas of the business.