FACT: I love french bread
FACT: The best french bread I've ever had was a baguette from Boulangerie Guillaume in Montreal. It was perfectly crusty on the outside and fluffy on the inside. Amazing.
Now watch me demonstrate my expert writing skills by segueing directly into today's topic - The Dun & Bradstreet (D&B) leak.
If you're not familiar with D&B, they are one of the largest collectors of business data in the world. Their database contains data on more than 235 million companies. They provide business credit information, marketing lists, and more. The leak reported last week consisted of 33 million records. Information such as company officer names and email addresses were a part of the leak. The article referenced above details a lot of the companies affected but among them are the US Department of Defense, AT&T, FedEx, and IBM.
Not much has been solidly reported on the leak. D&B states unequivocally that there has not been a breach. They also stated that the data didn't come from any of their customers... but it had to come from somewhere. It's a bit of a mystery at this point.
So why am I writing about it and why does it matter? Because targeted phishing, also known as spear phishing, just became infinitely easier. Spear phishing is the practice of making an email look like it came from someone who it did not. This is more effective than random phishing as evidenced by the rash of W2 spear phishing attacks this year. Armed with the D&B data Spear phishers will be able to more easily pose as a known employee of a company and ask for sensitive data.
The best way to combat spear phishing is to have a policy of never emailing sensitive data containing PII or financial data. There are better and more secure ways of sharing that data. However if you must email it, the best way to prevent accidental exposure is to pick up the phone and call the person that asked for the data to verify that they indeed did ask for it. When replying to the email, delete the automatically entered "reply-to" address and re-type the person's email address to make sure it's going to the right spot. And finally, do not trust an email, even if it seems to be from a trusted person, that says something like "I can't access my business email at the moment but I need this sensitive data immediately. Please send it to my personal email address..."
In closing, thieves are getting smarter and smarter and there is not always a technical solution that can automatically fix the problem. That's why part of the NeoCloud seven-layer security model is constant training, education and reminders. Ultimately we feel that knowledge coupled with technology is the best way to stay safe!
If you'd like to know more about NeoCloud Consulting, our seven-layer security model or my love of french bread, please get in touch with me and I'm glad to discuss it!
Until next time! Time for me to go get a baguette.......