As a broader swath of personal and credit data is collected foranalysis and sales enablement, businesses are taking on a level ofresponsibility and risk that is unprecedented in the history ofcommerce.

As evidenced by the cyberattacks and data breaches in theheadlines, criminals now find stealing your data as lucrative asstealing your cash or your inventory — or even moreso.

Protecting what we have, but also what our organization knows,is a tricky business. Cybercriminals have shown an amazingpropensity to adapt and evolve. While we can no longer rely onsignature-based protection from attack, there is an opportunity tomitigate risk by looking at historical precedent and conducting aneffective risk analysis in the business.

When it comes to an attack that seeks payment card or personaldata that can readily be converted to cash, there is a riskcommonality that is often overlooked. Thinking like a criminal canhelp identify it.

As fraud prevention measures and forensic analysis of attacksbecome more commonplace, the volume and type of data stolen arebeing identified faster than ever before. While the averagedata breach still persists for more than six months, oncediscovered, the mechanisms for protecting against both identitytheft, as well as payment card fraud are quicklyenabled. Thus, the payment card numbers are no longer validand the identity is protected with a watch placed on lines ofcredit. The shelf life of this data is finite and growing shorter.If a criminal wants to convert the data to cash, quick action isrequired.

In fact, prices on the dark web, black markets and carder forumsare greatly influenced by the freshness of the data. Fullz(complete identity records) and the freshness of the data actuallyset the market rate for this information, with increased value bothperceived and realized for fresh records.

The criminal wants to get the largest volume of data in thesmallest amount of time in order to realize a profit before thedata spoils on the shelf. Our conclusion therefore is thatcriminals want to attack a business during periods of rapid influxof information.

Think about it: How many payment card data breaches have youheard about right after the completion of the biggest shoppingmonths of the year? It isn’t just coincidence that we learn aboutmany of these in January.

Black Friday scams and tax season swindles are routinelyperpetuated because the influx of “fresh” data is so appealing andrewarding for the criminals.

In recent years, health care and insurance records have been anoutsized target of criminals because the data sets are often themost complete records of a single individual in existence. Themovement to electronic health care records hasexacerbated the problem, because so many more digital records nowexist.

If you accept the theory that there is an opportunity tomitigate risk by looking at historical precedent, we should pairwhat we know about criminal attacks (the desire for completerecords) and other industries’ breach trends (frequent attacksduring periods of high data record influx) and ask ourselves, whatcircumstances in health care and insurance mimic thisprecedent?

I’m sure you have arrived at the same answer I did: openenrollment periods.

Insurance open enrollment presents huge opportunities for thebad guys to gain lucrative and exceptionally fresh records. Vastamounts of data are exchanged through call and contact centers,online forms and questionnaires. We know with a great deal ofcertainty that these periods are likely to see an increase inattacks. We must be vigilant during these episodes to safeguard andsecure the data in a manner in which our customersexpect.

We’ve heard the PCI Security Standards Council suggest that,“If you don't need it, don't store it.” We would suggestgoing even further. First, don't just hold this maxim to paymentcard data; apply it to all the sensitive data, including anypersonally identifiable information (PII), that youencounter.

Second, even if you need it, don't store it. We are fond ofsaying, “You can’t hack what you don't hold.”There areplenty of ways (via both technology and process) in which you canminimize the risk to that data by not actually storing it. Instead,using encryption, tokenization and virtual technologies properly,you store a bunch of gobbledygook that has no value for theattacker.

Even better, you can minimize your risk by actually shieldingthe aspects of your business that take the information from theinformation itself. For example, it is possible to keep a customeron the line with a contact center agent, while the caller inputsthe sensitive data into their phone. The information is routed tothe payment gateway or a more secure server so it is never sharedwith the agent or even held in the call center infrastructure.Business is conducted effectively, yet there is little to nopossible spillover of the data to unsecured or unmonitored areas ofthe business.