The Ahmanson Foundation funds nonprofit organizations based in and serving Los Angeles County and has become a leader among private foundations in implementing enterprise-wide policies for cybersecurity.

Private foundations must recognize that cybersecurity is an expansive area of concern that intersects with legal, operational, reputational and financial issues.

"A board needs to communicate that cybersecurity is a top priority for an organization," said Kristen K. O'Connor, Chief Financial Officer of The Ahmanson Foundation. "The board needs to ensure that management has allocated sufficient resources to the area."

The Ahmanson Foundation used a holistic approach to make sure that its cybersecurity plan addresses multiple types of potential loss scenarios. Insurance can cover some financial losses, but there are also the risks of operational and reputational damage. The Foundation understood that a cybersecurity attack could shut down its organization, causing it to lose time supporting local nonprofits.

"A foundation's board needs access to enough cybersecurity expertise to fulfill its mandate of oversight and to ask the right questions of management to ensure that best practices are executed," Kristen explains.

She recommends that cybersecurity be a regular agenda item at board meetings. At the Foundation, primary responsibility for cybersecurity lies with the Audit Committee, which reports to the board.

"The process not only involved technical work, but also required the foundation's and board's understanding of what cybersecurity risks look like and why it was important to do this," explains GHJ Advisory Partner David Sutton, who worked with The Ahmanson Foundation through the adoption process. "A successful cybersecurity program requires buy-in from across the organization.”

Sutton also suggests regularly training employees on security awareness, including the evolving ways that cybercriminals are using phishing and social engineering to launch attacks.

“Employees take mandatory cybersecurity trainings and they must pass tests at a level of 80 percent, or they are asked to redo the training and retake the test,” David explained. “By doing this, The Ahmanson Foundation was able to track the percentage of phish-prone staff and soon discovered that training improved their numbers. This really demonstrates the importance of making sure you prepare and train your team before a threat actually happens to mitigate risk.”

The Ahmanson Foundation also implements ongoing monitoring of risks by working with a firm that informs them of changes in the threat landscape. The firm has an endpoint detection and response tool to monitor all physical devices that are connected to the network, and this tool is regularly updated to respond to new threats.