Not-for-Profit Podcast: Impacted by the Blackbaud Breach? Now What?

HOST: MATTHEW SOCHA: Hello and welcome to this edition of Cherry Bekaert's Not-for-Profit podcast. This is the place where we talk about a variety of matters impacting Not-for-Profit organizations. I am your host, Matthew Saha, the Not-for-Profit industry practice leader for Cherry Bekaert.

HOST: MATTHEW SOCHA: I am very happy to be joined by our guest today, Steve Illo. Steve is the leader of Cherry Bekaert's cybersecurity group. Steve, welcome to the podcast. It's great to have you with us.

STEVE URSILLO: Thanks, Matt. Pleasure to be here.

HOST: MATTHEW SOCHA: The subject of today's conversation is the Blackb ransomware incident that recently made the news. It was a ransomware and data breach, and Steve, as you know, Blackb is a market leader in Not-for-Profit fundraising and accounting software. This breach appears to have had a broad impact; many of our clients have reached out to us with questions and advice requests.

HOST: MATTHEW SOCHA: Pretty much anyone involved in Not-for-Profit fundraising activity might use this software. We know that the cybercriminal copied some of Blackb's customer data, including donor names, addresses, contact information, and donation amounts, according to information received from our clients.

HOST: MATTHEW SOCHA: I know you've read Blackb's response. When I read it, it looks like they're on top of things; they say they have no reason to believe any data went beyond the cybercriminal. How do you interpret Blackb's response from a cybersecurity expert's point of view?

STEVE URSILLO: It's unfortunate to see incidents and breaches like this; breach fatigue has become common. As it pertains to third parties reporting incidents, the response appears fairly well orchestrated.

STEVE URSILLO: Most legal requirements for breach notification were covered in that response. Ultimately, it comes down to the customers and user organizations evaluating what that means for them: what type of data the provider had, what was involved, and what obligations they have to the data subjects.

STEVE URSILLO: That evaluation is typically orchestrated by identifying the appropriate team, securing legal representation, and ensuring the incident response program clearly identifies actions for responding. State regulatory bodies and contractual terms will prescribe breach notification timelines and required communications.

STEVE URSILLO: From what I observed, Blackb's response covered the measures needed so organizations can determine the impact on them.

HOST: MATTHEW SOCHA: Blackb likely has extensive legal and technical resources. If I'm at a small Not-for-Profit and I receive notice that some of my data may have been compromised, where should I begin? I might not have in-house counsel or a chief technology officer.

STEVE URSILLO: The appropriate response depends on the cyber maturity of the impacted organization. Those with a mature incident response program have an advantage with a well-orchestrated execution timeline and lessons learned. Organizations with ad hoc programs may struggle to meet required timeframes.

STEVE URSILLO: Breach notification requirements can be short—sometimes 72 hours—so it's important to plan for incidents before they happen. Know who your legal representatives are, have insurance company contact information ready, and understand what resources the insurer will provide for legal and forensic support.

STEVE URSILLO: Consider whether coverage will be adequate and how to communicate the response to your constituents if your customers' data was part of the provider's breach. Proactively evaluate third-party relationships; supply chain and vendor management are essential to understanding and shifting risk.

STEVE URSILLO: Understand the type of data your vendors hold, what controls they have, and how you would cooperate in a response to ensure timely action.

HOST: MATTHEW SOCHA: You've worked with many organizations, including Not-for-Profits. When you consult to raise the maturity of controls, what common deficiencies do you see?

STEVE URSILLO: Focus on a risk-based approach to prioritize what will provide the best residual risk mitigation. Ultimately, it comes down to the information security program: the more formalized and repeatable it is, the better the orchestration and accountability.

STEVE URSILLO: Common deficiencies include infrequent risk assessments, vulnerability assessments, and penetration testing. Organizations should consistently look for high-risk components and emerging vulnerabilities and simulate attacker behavior so low-hanging fruit is not exposed.

STEVE URSILLO: Other key components are timely system updates, strong authentication and access control, and multi-factor authentication. Training and awareness are critical because attackers target the weakest link—the users.

STEVE URSILLO: Beyond prevention, focus on detection, response, and recovery through an incident response program, event logging, and an assumed-breach mentality. The goal is to detect attackers as soon as they enter the network.

HOST: MATTHEW SOCHA: So there is no silver bullet; it's a culmination of many controls that makes it difficult for cybercriminals to succeed. Your house analogy—locking doors and windows—fits well: one open window is an opportunity.

STEVE URSILLO: Exactly. You need ongoing assessments and someone regularly looking for threats and risks to mitigate them.

HOST: MATTHEW SOCHA: Thank you for your time today, Steve. I appreciate your expertise and insight. This won't be the last breach, and listeners dealing with cybersecurity issues should reach out to Steve or me for assistance.

STEVE URSILLO: Thank you, Matt. It's a pleasure.

HOST: MATTHEW SOCHA: All right, so long.