In May 2020, Blackbaud, a U.S.-based cloud computing provider and, one of the world’s largest providers of education administration, fundraising, and financial management software, experienced a ransomware attack. Fortunately, between their cybersecurity team, a forensics expert, and law enforcement, the perpetrator was locked out. Unfortunately, before being detected, the criminal copied a subset of data, which was held for ransom. Blackbaud paid the ransom and received confirmation the data had been destroyed. Nevertheless, this attack left their customer’s data compromised, and their reputation was further damaged by waiting several weeks to notify their customers.
At first glance, Blackbaud appears to have a very strong cybersecurity program. Their website advertises not only their deep security posture with adherence to industry-recognized security standards but also a variety of valuable independent auditor reports such as SOC 2 Type 2 and PCI DSS assessments. Despite all that, they were still breached and are responsible for endangering clients to a cyberattack.
How can you protect your organization from a service provider breach?
Since breaches require immediate action, it’s essential to have an action plan in response to vendor data breaches before they happen. We recommend the following actions that will both help prepare for a breach at one of your service providers and keep your customer data safe.
1. Understanding vendor breach identification and notification
What compliance regulations are your vendors subject to when it comes to reporting breaches to their clients?
Under General Data Protection Regulations (GDPR), organizations have a limited time to gather all the information about the breach and notify all regulators and affected individuals. Your vendor is accountable for the risk to your reputation if you receive late news that your data has been compromised. You must receive a guarantee that your vendor will notify you immediately if there is a data breach.
What steps do you have in place with your vendor to receive vendor breach exposures?
Check your contract for a breach notification requirement. If you don’t find one, contact your vendor and make a plan that includes:
- A definite notification timeline
- Clear instructions relating to the handling of any NPI or PII information affected
- Action steps to protect and respond to the breach
2. Responding to a vendor breach with an RCA
If the vendor followed compliance guidelines and explicitly informed your company in a timely manner, fast-acting staff can save you. If they’ve received proper cybersecurity training, they could lessen the risk of identity theft and help you avoid the responsibility of resolving the cybercrime.
Nevertheless, once you have discovered a breach and determined its impact, you must:
- Work with your legal advisors to evaluate your obligations and possible remedies in your specific situation. Your obligations may vary by state.
- Work with your insurance provider since you may be required to report the event in a specified timeline.
If your vendor hasn’t provided information about the incident, request a root cause analysis (RCA), which is a systematic process for identifying “root causes” of problems or events and an approach to address them. RCA is based on the idea that effective management not only “puts out fires” but finds a way to prevent them.
An RCA could answer such questions as:
- What data was compromised?
- What went wrong?
- When did the breach happen?
In addition to the RCA, you have the right to request the vendor’s data security policy, incident response plan, reports for security auditors and inspections, NDAs, and data security training programs and provisions.
3. Reporting vendor breaches to your stakeholders
No matter how disruptive the incident may be, reporting the vendor breach to your internal and external stakeholders is essential. Key stakeholders play a crucial role in assessing the IT risk among the organization. They will help you contact the IRS or law enforcement. Review your incident response plan and confirm you have appropriate communication templates in place for different groups of stakeholders, such as staff, donors, clients, or grantors.
4. Solidifying your vendor oversight processes and cybersecurity
After a serious breach, what’s next? You may be reconsidering your vendor oversight processes. Optimize your vendor risk assessment by implementing the following:
- Review the cybersecurity practices of vendors who can access or host your data
- Implement a “lessons learned” section within the incident response plan and tie it into the vendor risk assessment
- Review your cybersecurity controls to prevent future cyberthreats
In conclusion, highly targeted third-party data breaches are increasing year after year. Often, when an organization is hacked, its data and that of other companies, vendors, or individuals can be compromised. To protect your organization from a breach, you should establish a comprehensive vendor-risk management plan that will help you evaluate your contracts and respond to worst-case scenarios. No matter how small or big, cybercrime is inevitable — review your cybersecurity controls to ensure your organization is protected.
How we can help
Our cybersecurity experts can help you identify and mitigate your risk from third-party vendor breaches with our seven-point cybersecurity assessment. We'll give insight into where you're vulnerable and what a hacker sees so you can prevent attacks before they ever happen. Contact Scott Petree today to learn more.