Search

Vendor cybersecurity risk: is your non-profit prepared?

Updated: Apr 12

Last summer many in the non-profit sector received a communication informing them that their information, placed on Blackbaud’s servers has been captured by cybercriminals.

Blackbaud — a popular cloud software company, powers many non-profit organizations by helping them manage donor information, finances, vendor facilitation, grants, marketing, and payments.

Imagine the shock! Your closest supplier, the one that not only is so entrenched in many facets of your daily operations, but also houses most of your sensitive information has been breached. And now, from being your closest ally it has become your biggest problem. Overnight.

The ramifications were massive. Blackbaud’s clients had to investigate and determine what information was accessed; whether they had to inform their clients; and launch their own incident response plans. Many, especially in the non-profit sector, were caught unprepared.

A year has passed since this incident has been reported. A year like no other where organizations have had to reinvent their services deliveries, outreach efforts, and internal work modalities. In these stressful situations, accommodations and adaptations are done in haste, often leaving the security aspect behind. Now, when life begins to return to course, it is time to ask if your organization is prepared.

We find that most organizations are not prepared for a 3rd party (supply-chain) cyber attack, and in today's hyper-integrated economy, it means ignoring a significant business risk. 3rd party cyber-attacks are only increasing in frequency, depths, and damages they inflict. These types of attacks make a lot of sense (and money) for cyber-attackers.


Why waste efforts trying to hack a well-protected enterprise when you can quickly go through one of its suppliers? Why spend time on a single target and a single account? Find a soft underbelly in a supply chain and gain access to multiple organizations through a single attack. It scales!

So don't wait for that 3 AM call from one of your suppliers telling you they have been hacked. Plan for it.


  • Gain visibility to who your suppliers are. Some suppliers are obvious; some are not.

  • Assess existing and new suppliers' cybersecurity posture and simulate your business impact, assuming they are breached.

  • Educate your supply-chain members on the importance of elevating their posture and demand thresholds to be met as part of doing business together.

  • Facilitate a process that allows you to learn about incidents on your vendors’ side as quickly as possible.

  • Document suppliers' efforts to assess progress and compliance over time.

  • Constantly monitor the landscape. Periodically is not enough.



The Blackbaud travails are a cautionary tale that unfortunately repeated itself more than a few times since, with many organizations and impact on real lives, and as such a cyberattack is nowadays a question of when not if. But not all is gloom and doom. Organizations that invest in cybersecurity are not only less likely to suffer a breach but also develop resiliency that helps them bounce back faster and with lower costs.

Your organization should have the right procedures, processes, and technologies in place to be able to mitigate cyber-related business risks. Set up an overall cybersecurity strategy that takes into account knowns and unknowns. Build the roadmap to elevate your cyber defenses, and implement them. Constantly challenge and test your executives, employees, and defenses put in place.

Cyberattacks are becoming more aggressive, more sophisticated, and more frequent — and everyone is a target.