Blackbaud Hack Rattles Non-Profits – But what can they do?

By Heather Paunet, Senior VP of Products – Untangle,

The UK National Trust. Rhode Island School of Design. Boy Scouts of America. The ACLU, The George W. Bush Presidential Center and NPR. What do all of these organizations have in common? All have found themselves among the 130+ organizations which were made victims of a recent data breach targeting their cloud provider of choice, Blackbaud. Blackbaud is one of the world’s largest cloud computing providers, aiming to provide services to organizations whose primary goals are to demonstrate and provide social good. As such, Blackbaud serves associations ranging from some of the most prestigious universities to the largest nonprofits – all of whom had a portion of their data compromised as a result of this ransomware attack. 

Blackbaud was blindsided with this attack in May 2020. Against the recommendation of many cybersecurity professionals, Blackbaud chose to pay the hackers their requested ransom – an undisclosed amount, paid in Bitcoins – for “credible confirmation” that their attackers had deleted any data they had stolen. Given the amount of data accessed, it may very well be that the firm felt it had little choice in the matter. Even worse, the scope of that data is seemingly far beyond what Blackbaud initially believed, having recently announced that sensitive financial data was also stolen in the breach, after having promised that this data was not accessed in initial reports.

As we enter Cybersecurity Awareness Month, we need to look at where this leaves those organizations whose data was compromised? As nonprofits continue to adopt new technologies and applications that assist them in processing and monitoring donor information and contributions, what steps can they take to protect sensitive data? 

The answer can be complex. The fact of the matter is that nonprofit organizations, because of the number of full time staff, rely heavily on third-party vendors or services to operate as efficiently as possible. As seen with this cyber attack, that can leave some data security outside of their hands. In today’s interconnected world it is the responsibility of both the nonprofits and the vendors they choose to develop ways to safeguard any sensitive data. 

There are multiple solutions that both nonprofits and the vendors they work with can implement to ensure that any data the organization captures is as secure as possible. One of the most comprehensive solutions is creating a multi-layered network security system between the nonprofit and their vendors. 

In a multi-layered system, there are different barriers, parameters, and permissions set based on multiple factors, limiting anyone from having complete access to all sensitive data unless they are given administrative access. For example, within the nonprofits’ staff, those who manage volunteers may have different access than grant writers, or those managing operational costs. These permission limitations would extend then to any third party vendor, giving them access, if needed, to only information that is applicable to them. In this case, since Blackbaud can be used for donor management, segmenting their access to only include names and emails of donors instead of extended demographic, previous donation information, or payment information, can prevent a data breach from being more catastrophic to the entire database. 

To enact a multi-layered approach, nonprofits should look to employ technologies that allow for centralized management across an entire network with the multi-faceted protection that comes with a next-generation firewall. Next-generation firewalls, while including advanced web filtering and malware protections, allow network administrators to dive deep into network management and can be easily configured to each environment through a set of policies and alerts.  

By deploying a next-generation firewall  with its combination of layered security protocols and advanced technology aimed at protecting the network, nonprofits can take more control and better monitor their data. 

The second major way both nonprofits and the vendors they partner with can address cybersecurity is with a comprehensive auditing and communication process in place. Each organization will have its own digital stack, internal IT departments, and other areas connected via different applications. Vendors should make it a consistent habit to conduct network security audits, focusing on any patches or updates that may be needed, irregular behavior, or simply updating the staff directory. These audits should be presented to their clients, in this case, the nonprofit organization they are working with, to ensure that if reciprocal updates need to be made, they are, and to make sure all information is continuously updated. This reporting cadence helps nonprofits ensure that the organizations they are working with remain current based on industry standards and increases the communication between both organizations. 

Organizations will need to continue to work hand-in-hand with their vendors to not only streamline their services, but also to ensure that any data collected is protected between both entities. Cyber attacks will continue to target a portion or the whole network, but, creating these proactive barriers will make it more difficult for cyber criminals to gain full access to any one part of the organization. For nonprofits who rely heavily on vendors to maintain operations, increasing network security will go a long way to maintain donor trust and continued support. 

About Heather Paunet:

Heather Paunet is the Senior Vice President of Products & Marketing at Untangle, responsible for building the right products for customers, taking into account customer needs and market trends. She has over 15 years’ experience driving the development and go-to-market of software solutions. Prior to joining Untangle, she held product leadership roles at Cisco Systems, and was Vice President of Product at various high-tech security and networking companies in the Silicon Valley. She has a Bachelor of Science in Computer Engineering and spent the first few years of her career as a software engineer.

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.