A concise list for non-technical leaders to ask vendors about MFA, encryption, and breach notification.
No organization can do it all. Throughout life we are dependent upon others.
- Do you process your own oil to produce the gasoline required for your car?
- Or, do you create your own cell phone service or phones?
- Or, Do you establish your own bak for protection and/or investments?
- Or, do you stand up your own email system or web-based software suites?
Of course the answer is a resounding NO!
We trust others to supply those goods and services we need.
In business we establish contractual relationships for the services we do not produce on our own. That means we need to ask questions before we enter into an agreement.
But, what are the important cybersecurity considerations for these vendors or partners?
An Example of Potential Problems
This was all over the cyber news. In 2020, a hacker spent three months inside the network of Blackbaud. Now, Blackbaud is a company that provides donor management software to nonprofits, hospitals, churches, and charities. By the time the breach was discovered, sensitive data from more than 13,000 organizations and millions of their donors had been stolen. This included names, Social Security numbers, and bank account details. You know this was investigated! These investigations found that Blackbaud had failed to put into practice some basic safeguards. There was no multi-factor authentication. Sensitive data was unencrypted. They did not have processes and procedures to monitor for suspicious activity. And when an organization stopped using Blackbaud, they kept that data. As a result the company paid millions in settlements.
The thousands of organizations that trusted Blackbaud had no way of knowing how exposed their data was. They signed a contract with a well-known vendor and assumed the basics were covered. **They weren’t.**
5 Questions to Ask
These 5 questions could have make a difference for organizations in this situation.
1. Is multi-factor authentication required for anyone who accesses our data?
MFA means logging in requires more than just a password, typically a code from an app or a physical security key. It’s one of the most effective defenses against unauthorized access, and the lack of it was one of the first failures cited in the Blackbaud case. You want MFA required for all users, not just administrators, and enforced on every system that touches your data.
2. How is our data encrypted, both when it’s stored and when it’s transmitted?
Encryption scrambles data so it can’t be read without the proper key. Ask about encryption “at rest” (while stored) and “in transit” (while moving between systems). Blackbaud’s stolen data included unencrypted Social Security numbers and bank accounts. Encryption won’t prevent a breach, but it dramatically reduces the damage. Look for industry standards like AES-256 for stored data and TLS 1.2 or higher for data in transit.
3. What is your process for notifying us if there’s a data breach?
It’s not only legally required, but ethically required. Organizations affected by a breach should be notified. In this example, Blackbaud discovered its breach in May but didn’t notify customers until July, and the initial disclosure was inaccurate, leading nonprofits to pass along false reassurances to their donors. Ask for a specific notification timeline (24–72 hours is reasonable), a commitment to include what happened and what data was affected, and get those commitments in writing. If a vendor says they’ll “notify as required by law,” push for more. Legal requirements vary by state and often allow significant delays.
4. How often do you test your security, and will you share the results?
Security is a process. There’s no “set it and forget it”. Investigators found Blackbaud hadn’t kept up with evolving standards and wasn’t monitoring for suspicious activity. Ask whether the vendor conducts regular vulnerability assessments, annual penetration testing by an independent third party, and whether they hold current certifications like SOC 2 or HITRUST. You want a vendor that is willing to share results of their testing and that takes cybersecurity seriously.
5. What happens to our data if we end the relationship?
One of the most striking findings in the Blackbaud case was that the company was still storing sensitive data from former customers. That data was exposed in the breach alongside everything else, and the FTC ordered its deletion. Ask for a written data destruction policy, a specific deletion timeline (30 days is reasonable), and a certificate of destruction when it’s done. If they keep your data after the contract is over you are at risk.
The Bottom Line
You don’t need to become a cybersecurity expert, but you do need to ask these questions. Your decisions need to be informed so that you can protect your organization.
Ask questions. And get answers in writing.
----
Not sure where to begin? SureDefense Strategies helps small and medium-sized businesses navigate cybersecurity challenges with clear, actionable guidance. Contact us today to take the next step.
----
Need more information about the Blackbaud breach? Take a look at these links…
[1] California Attorney General – $6.75 Million Settlement with Blackbaud (June 2024): https://oag.ca.gov/news/press-releases/attorney-general-bonta-secures-675-million-settlement-against-blackbaud-over
[2] New York Attorney General – $49.5 Million Multistate Settlement (October 2023): https://ag.ny.gov/press-release/2023/attorney-general-james-and-multistate-coalition-secure-495-million-cloud-company
[3] Federal Trade Commission – Finalized Order Against Blackbaud (May 2024): https://www.ftc.gov/news-events/news/press-releases/2024/05/ftc-finalizes-order-blackbaud-related-allegations-firms-security-failures-led-data-breach
[4] SEC – Blackbaud Charged for Misleading Ransomware Disclosures (March 2023): https://www.sec.gov/newsroom/press-releases/2023-48
