B2B Payments

Uncovering The Lessons In A Third-Party Cyberattack

B2B Software-as-a-Service company Blackbaud recently notified its customers that in February of this year it fell victim to a ransomware attack and was not aware of the issue until about three months later.

The fallout continues to grow, with reports noting its slew of nonprofit and corporate customers have now been exposed to security threats as a result of data stolen in the Blackbaud breach.

Cybersecurity experts at Breach Clarity now peg the number of clients impacted at 136.

As a supplier of computing software services, Blackbaud is only the latest example of how cyberattacks aren't isolated to its targets. Indeed, its corporate customer base has now been affected as well. Despite a rising understanding of the importance of third-party cyber risk mitigation efforts, such incidents as these continue to occur — and amid the pandemic, the volume of attacks is on the rise.

According to Breach Clarity CEO and Co-founder Jim Van Dyke, this isn't to say that organizations' security investments are failing.

"While breaches are never entirely avoidable, the fact that they occur at much lower rates in the financial sector, where security investments are highest, generally proves that a stronger focus on security can lead to higher rates of safety," he told PYMNTS, advising firms to "make sure that security is getting a very high priority."

There are gaps in awareness and understanding of not only the security of one's own organization, but the third parties with which that firm interacts.

According to Van Dyke, this gap comes down to the employee level. All it takes is one professional to click on a suspicious link or open a malicious email to put the entire enterprise and its supply chain at risk.

"There isn't enough focus on practical education," said Van Dyke. "Service providers need to regularly test professionals, giving them surreptitious tests that see how vulnerable their employees are to scammers."

Even diligent and well-meaning professionals can cause a breakdown in data security, with Van Dyke adding that he's seen "dedicated employees literally cry under deposition" because they feel so terrible about falling victim to a cyberattack.

In addition to employee training, organizations do have an opportunity to elevate their security technology investments, particularly when it comes to artificial intelligence (AI).

In cases like Blackbaud's, in which a security lapse has already taken place, AI offers the opportunity for employers to identify which kinds of breaches and which employees have already been involved in order to understand where and how sensitive data is being kept. In addition to AI, Van Dyke noted that the development of national databases, as well as knowledge of and access to the dark web, are key to being able to trace where employee data has been exposed and better understand where the next attack may hit.

When it comes to preventing an attack, multifactor authentication and other kinds of multilayer security measures, plus the practice of frequently updating software and installing patches, remain the tried-and-true defenses.

Blackbaud's data breach isn't unique, per se. Particularly as cyberattacks rise in frequency as a result of malicious actors looking to capitalize on pandemic-related fears, organizations of all kinds will continue to face the threat of ransomware, the business email compromise and other types of attacks.

Yet Van Dyke emphasized, "these breaches must each be treated as unique," and the same safety action steps required in Blackbaud's case won't necessarily be the prescription another enterprise needs.

And while enterprises and their employees still have much work to do to understand, prevent and address such incidents, the cybersecurity community itself can take added measures to safeguard corporates and individuals alike. Again, AI — and the information gathered from previous breaches — can be powerful protection tools.

"The security industry is guilty of not having any sort of a model for predicting what particular ID scams or threats are more likely to be committed, based on any one identity-holder's prior breached data," said Van Dyke. "We need to seamlessly put AI to work here and focus more on how the data that's already been breached now raises risks of the next crimes. This is an opportunity that algorithms and AI were tailor-made for."



Banks, corporates and even regulators now recognize the imperative to modernize — not just digitize —the infrastructures and workflows that move money and data between businesses domestically and cross-border.

Together with Visa, PYMNTS invites you to a month-long series of livestreamed programs on these issues as they reshape B2B payments. Masters of modernization share insights and answer questions during a mix of intimate fireside chats and vibrant virtual roundtables.