Lessons in cybersecurity
The highlight of October’s National Cybersecurity Awareness Month activities at Boston College was a presentation by former Federal Bureau of Investigation senior executive Joseph R. Bonavolonta, now a managing partner at Sentinel, a global risk and intelligence advisory firm, and familiar figure on campus.
Bonavolonta, a featured participant in the annual Boston College-FBI co-hostedBoston Conference on Cybersecurity— a one-day event comprised of lectures and panel discussions with international leaders in the disciplines of emerging technologies, operations and enforcement on actual cyber and national security concerns — joined Sentinel following his FBI retirement in June 2023.
His talk, titled “Cybersecurity Lessons from a Former FBI Executive: What You Should Know,” was held on October 30 at the Heights Room in Corcoran Commons, and was sponsored by ֱ’s Information Technology Services (ITS), the University’s department focused on information security and the protection and integrity of the University’s information assets.
“It's not enough to solely have a whole of government approach; it takes a whole of society methodology, which means the private sector and government agencies working collaborativelyon a consistent basis to mitigate cyber threats,” said Bonavolonta, who served over 27 years with the FBI, including more than four years as the special agent in charge of the FBI Boston Division, one of the country’s largest field offices.
“Cybersecurity is a seven-day per week, 365-day concern, and we all should bear responsibility for our personal and corporate cyber hygiene,” he said. “Cybercrime is a human issue enabled by technology: We are all stakeholders in threat protection, whether they’re perpetrated by nation states, criminal entities or a blend of both.”
He cited China, Russia, Iran and North Korea as the countries most frequently responsible for cyber-attacks against the U.S. According to the latest annual report by the Office of the Director of National Intelligence, China is the most active and persistent cyber threat to the government, the private sector, and critical infrastructure networks.
Bonavolonta outlined that on the criminal side, we face threats from large organizational enterprises attempting to steal data, money or identities; cyber strikes designed to disrupt business operations resulting in lost revenue; ransomware attacks — malware that denies a user or organization access to now encrypted computer files and then a payment demand for the decryption key — and ideological assaults from politically motivatedattackers who typically seek notoriety for their causes by publicizing their incursions.
“Cybersecurity is a seven-day per week, 365-day concern, and we all should bear responsibility for our personal and corporate cyber hygiene. Cybercrime is a human issue enabled by technology: We are all stakeholders in threat protection, whether they’re perpetrated by nation states, criminal entities or a blend of both.”
Unthwarted cyber-attacks are extraordinarily expensive; the average cost of a data breach is $4.88 million, according to IBM’s 2024 Cost of a Data Breach Report, which includes the expense of discovering and responding to the violation, downtime and lost revenue, and the long-term reputational damage to a business and its brand. Some cyberattacks can be considerably more costly than others; ransomware attacks, for example, have commanded payments as high as $40 million, according toBusiness Insider.
There are, however, critically important measures that countries, governments, organizations and individuals can take to protect themselves from what Bonavolonta characterized as the “wide spectrum of threats” to our cyber security.
“You must have a ‘depth of defense’ mentality that includes concentric levels of protection that make it difficult to penetrate a network,” he said. “The first step for a corporate entity is to take a ‘what if’ approach to identify vulnerabilities through a ‘red teaming’ exercise — a practice reflecting real-world conditions, conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes that provides a comprehensive assessment of the organization’s information system security capability.
“An additional or alternative step is a ‘tabletop exercise’ — a discussion-based activity during which participants role play their responses to a simulated cyber-attack — followed by the development of a well-practiced critical incident plan. That plan must be reviewed regularly to ensure it’s updated and relevant.”
He stressed, though, that action items alone are insufficient unless organizations culturally commit to cyber protection.
“There needs to be full cyber protection buy-in, starting at the C-suite level, and an overall investment to find solutions that effectively address all vulnerabilities,” said Bonavolonta. “It takes just one employee clicking on a dangerous link that can allow entry to an entire company.”
Cybersecurity Awareness Month, launched in 2004 by the Department of Homeland Security and the National Cyber Security Alliance, has evolved into a global campaign including other government entities, cybersecurity experts, universities, and individuals collaborating to help Americans stay safe online. The ֱ event was hosted by Michael Bourque, ITS vice president, and David Escalante,director of Computer Security & Policy, and IT Assurance, who expressed their appreciation for Bonavolonta’s presentation and his ongoing support of cybersecurity at Boston College.