Skip to Content
IT/cybersecurity professional in a server room.

Vendor security breaches: Four steps for risk reduction

September 29, 2020 / 4 min read

Your organization could be the Fort Knox of cybersecurity when you consider these four steps for risk reduction.

In May 2020, Blackbaud, a U.S.-based cloud computing provider and, one of the world’s largest providers of education administration, fundraising, and financial management software, experienced a ransomware attack. Fortunately, between their cybersecurity team, a forensics expert, and law enforcement, the perpetrator was locked out. Unfortunately, before being detected, the criminal copied a subset of data, which was held for ransom. Blackbaud paid the ransom and received confirmation the data had been destroyed. Nevertheless, this attack left their customer’s data compromised, and their reputation was further damaged by waiting several weeks to notify their customers.

At first glance, Blackbaud appears to have a very strong cybersecurity program. Their website advertises not only their deep security posture with adherence to industry-recognized security standards but also a variety of valuable independent auditor reports such as SOC 2 Type 2 and PCI DSS assessments. Despite all that, they were still breached and are responsible for endangering clients to a cyberattack.

How can you protect your organization from a service provider breach?

Since breaches require immediate action, it’s essential to have an action plan in response to vendor data breaches before they happen. We recommend the following actions that will both help prepare for a breach at one of your service providers and keep your customer data safe.

1. Understanding vendor breach identification and notification

What compliance regulations are your vendors subject to when it comes to reporting breaches to their clients?

Under General Data Protection Regulations (GDPR), organizations have a limited time to gather all the information about the breach and notify all regulators and affected individuals. Your vendor is accountable for the risk to your reputation if you receive late news that your data has been compromised. You must receive a guarantee that your vendor will notify you immediately if there is a data breach.

What steps do you have in place with your vendor to receive vendor breach exposures?

Check your contract for a breach notification requirement. If you don’t find one, contact your vendor and make a plan that includes:

2. Responding to a vendor breach with an RCA

If the vendor followed compliance guidelines and explicitly informed your company in a timely manner, fast-acting staff can save you. If they’ve received proper cybersecurity training, they could lessen the risk of identity theft and help you avoid the responsibility of resolving the cybercrime.

Nevertheless, once you have discovered a breach and determined its impact, you must:

If your vendor hasn’t provided information about the incident, request a root cause analysis (RCA), which is a systematic process for identifying “root causes” of problems or events and an approach to address them. RCA is based on the idea that effective management not only “puts out fires” but finds a way to prevent them.

An RCA could answer such questions as:

In addition to the RCA, you have the right to request the vendor’s data security policy, incident response plan, reports for security auditors and inspections, NDAs, and data security training programs and provisions.

3. Reporting vendor breaches to your stakeholders

No matter how disruptive the incident may be, reporting the vendor breach to your internal and external stakeholders is essential. Key stakeholders play a crucial role in assessing the IT risk among the organization. They will help you contact the IRS or law enforcement. Review your incident response plan and confirm you have appropriate communication templates in place for different groups of stakeholders, such as staff, donors, clients, or grantors.

4. Solidifying your vendor oversight processes and cybersecurity

After a serious breach, what’s next? You may be reconsidering your vendor oversight processes. Optimize your vendor risk assessment by implementing the following:

In conclusion, highly targeted third-party data breaches are increasing year after year. Often, when an organization is hacked, its data and that of other companies, vendors, or individuals can be compromised. To protect your organization from a breach, you should establish a comprehensive vendor-risk management plan that will help you evaluate your contracts and respond to worst-case scenarios. No matter how small or big, cybercrime is inevitable — review your cybersecurity controls to ensure your organization is protected.

How we can help

Our cybersecurity experts can help you identify and mitigate your risk from third-party vendor breaches with our seven-point cybersecurity assessment. We'll give insight into where you're vulnerable and what a hacker sees so you can prevent attacks before they ever happen. Contact Scott Petree today to learn more.

The key to stronger cybersecurity controls? Open conversation. 

Related Thinking

Person holding telescope
May 28, 2024

How to spot a fraudster: Red flags that suggest occupational fraud

Article 4 min read
Shopper looking at products in grocery store aisle, considering SKU rationalization and accurate costing data.
April 22, 2024

The art of SKU rationalization: Getting accurate costing data

Article 5 min read
Video thumbnail introducing the R&D tax credit video.
January 18, 2024

R&D tax credit: Does your business qualify?

Video 3 min watch