Lessons in cybersecurity
The highlight of October鈥檚 National Cybersecurity Awareness Month activities at Boston College was a presentation by former Federal Bureau of Investigation senior executive Joseph R. Bonavolonta, now a managing partner at Sentinel, a global risk and intelligence advisory firm, and familiar figure on campus.
Bonavolonta, a featured participant in the annual Boston College-FBI co-hosted听Boston Conference on Cybersecurity听鈥 a one-day event comprised of lectures and panel discussions with international leaders in the disciplines of emerging technologies, operations and enforcement on actual cyber and national security concerns 鈥 joined Sentinel following his FBI retirement in June 2023.听
His talk, titled 鈥淐ybersecurity Lessons from a Former FBI Executive: What You Should Know,鈥 was held on October 30 at the Heights Room in Corcoran Commons, and was sponsored by 情色空间鈥檚 Information Technology Services (ITS), the University鈥檚 department focused on information security and the protection and integrity of the University鈥檚 information assets.
Joseph Bonavolonta with 情色空间 Director of Computer Policy and Security David Escalante
鈥淚t's not enough to solely have a whole of government approach; it takes a whole of society methodology, which means the private sector and government agencies working collaboratively听on a consistent basis to mitigate cyber threats,鈥 said Bonavolonta, who served over 27 years with the FBI, including more than four years as the special agent in charge of the FBI Boston Division, one of the country鈥檚 largest field offices.听
鈥淐ybersecurity is a seven-day per week, 365-day concern, and we all should bear responsibility for our personal and corporate cyber hygiene,鈥 he said. 鈥淐ybercrime is a human issue enabled by technology: We are all stakeholders in threat protection, whether they鈥檙e perpetrated by nation states, criminal entities or a blend of both.鈥澨
He cited China, Russia, Iran and North Korea as the countries most frequently responsible for cyber-attacks against the U.S.听 According to the latest annual report by the Office of the Director of National Intelligence, China is the most active and persistent cyber threat to the government, the private sector, and critical infrastructure networks.
Bonavolonta outlined that on the criminal side, we face threats from large organizational enterprises attempting to steal data, money or identities; cyber strikes designed to disrupt business operations resulting in lost revenue; ransomware attacks 鈥 malware that denies a user or organization access to now encrypted computer files and then a payment demand for the decryption key 鈥 and ideological assaults from politically motivated听attackers who typically seek notoriety for their causes by publicizing their incursions.
“Cybersecurity is a seven-day per week, 365-day concern, and we all should bear responsibility for our personal and corporate cyber hygiene. Cybercrime is a human issue enabled by technology: We are all stakeholders in threat protection, whether they鈥檙e perpetrated by nation states, criminal entities or a blend of both.”
Unthwarted cyber-attacks are extraordinarily expensive; the average cost of a data breach is $4.88 million, according to IBM鈥檚 2024 Cost of a Data Breach Report, which includes the expense of discovering and responding to the violation, downtime and lost revenue, and the long-term reputational damage to a business and its brand.听 Some cyberattacks can be considerably more costly than others; ransomware attacks, for example, have commanded payments as high as $40 million, according to听Business Insider.
There are, however, critically important measures that countries, governments, organizations and individuals can take to protect themselves from what Bonavolonta characterized as the 鈥渨ide spectrum of threats鈥 to our cyber security.
鈥淵ou must have a 鈥榙epth of defense鈥 mentality that includes concentric levels of protection that make it difficult to penetrate a network,鈥 he said.听 鈥淭he first step for a corporate entity is to take a 鈥榳hat if鈥 approach to identify vulnerabilities through a 鈥榬ed teaming鈥 exercise 鈥 a practice reflecting real-world conditions, conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes that provides a comprehensive assessment of the organization鈥檚 information system security capability.
听鈥淎n additional or alternative step is a 鈥榯abletop exercise鈥 鈥 a discussion-based activity during which participants role play their responses to a simulated cyber-attack 鈥 followed by the development of a well-practiced critical incident plan. That plan must be reviewed regularly to ensure it鈥檚 updated and relevant.鈥澨
He stressed, though, that action items alone are insufficient unless organizations culturally commit to cyber protection.
鈥淭here needs to be full cyber protection buy-in, starting at the C-suite level, and an overall investment to find solutions that effectively address all vulnerabilities,鈥 said Bonavolonta.听 鈥淚t takes just one employee clicking on a dangerous link that can allow entry to an entire company.鈥
Cybersecurity Awareness Month, launched in 2004 by the Department of Homeland Security and the National Cyber Security Alliance, has evolved into a global campaign including other government entities, cybersecurity experts, universities, and individuals collaborating to help Americans stay safe online. The 情色空间 event was hosted by Michael Bourque, ITS vice president, and David Escalante,听director of Computer Security & Policy, and IT Assurance, who expressed their appreciation for Bonavolonta鈥檚 presentation and his ongoing support of cybersecurity at Boston College.