As if chief information security officers (CISOs) did not have enough to deal with, add one more issue to their plates: information warfare. These operations now target private and non-governmental entities almost as often as they involve world powers. That’s why it’s more important than ever to know the difference between misinformation and disinformation — and how to stop them both.

Information wars are old. They date back millennia, as does the strategy of deception in warfare. Despite the age and use of disinformation, we’ve seen a recent uptick in discussion on the subject. Run a small experiment: perform an internet search for material from before 2016 on the word “disinformation” and see how many fewer results there are than what you’d find today. You’ll find first-page results with publish dates spanning the 2010s. Go a couple of pages in and you may see references to books from the 80s and 90s. Search that term today, though, and it takes quite a few clicks to find something that wasn’t written in 2021.

Why the uptick? More information, for one. It does not matter if it is credible or not. It’s out there. The information age means almost anyone can become a publisher. Blogs are cheap to maintain, content creators are seeing returns on investments, advertisers are enjoying click-through revenue and social media is an amplifier. All these are good things. And they also come with noise.

Cutting Through the Noise

Two sets of ideas can help CISOs discover and limit information campaigns against their organization. And while these appear similar, they are distinctly different.

Misinformation Versus Disinformation

These are pretty easy to tell apart in simple terms but are also easily confused or used inappropriately. Misinformation is usually wrong information, that when released, at least at first, has benign intent. It’s possible you have said or have had said to you, “You have been misinformed”. CISOs need to watch out for intent. We’ll examine that in a bit more detail shortly.

On the other hand, disinformation is malicious by design. It may be a well-crafted lie, but lies have a way of falling apart, especially over time. The most insidious type of disinformation is the type seeded with ‘the kernel of truth’. The lie is built around something that is proven to be true, therefore giving the disinformation campaign an appearance of credibility.

A perfect example to illustrate this is the use of deepfakes. A deepfake of an influential person saying something ridiculous may be quickly proven to be a lie. The disinformation campaign unravels very quickly. But a deepfake that only makes minor changes to an otherwise true event can slip under the radar.

Information Superiority Versus Information Dominance

Of course, technology can help spot anomalies, but combating disinformation is only part science.  Plenty of art is involved, and that is where the second set of ideas comes into play: superiority and dominance.

Think of superiority as having more information, whereas dominance is being able to do more with the information you have, even if it is less in terms of quantity. You are being smarter about how you use it.

Building Confidence Into Your Assessment

Tying these two sets of ideas together is where CISOs can work some magic. The key is to establish confidence in your assessment. Let’s use an example to demonstrate how you can do this.

As a CISO, you may trust a vendor will provide timely threat intelligence reports and meet their service-level agreement requirements. You even have a great working relationship with them. But there is one problem: you do not have confidence in their work product, for whatever the reasons (dated, errors, etc.). Paradoxically though, it is unlikely you would trust a darknet persona, but what if this persona has produced high-quality information with consistency? In this case, you would have confidence in their product.

This is nuanced, so often gets missed. But it is vital to filter out misinformation and combat disinformation. So, how do you use the two sets of ideas above to build confidence?

First, develop a mechanism that allows you to spot the benign from the malicious. There is no one-size-fits-all approach here due to industry-specific language, and nobody knows your industry better than you. Look for nuances in language and information feeds. Spot qualifiers, usually a good tell that something may be off. In other words, focus on signal, not noise.

You see, by going through this exercise you use your industry-specific knowledge (dominance) to filter out the noise, which should lead you to intent: mistake or deliberate, or misinformation versus disinformation.

The next point is crucial. CISOs, slow down and take this saying to heart. Slow is smooth and smooth is fast.

How to Make Good Decisions In the Age of Disinformation

With data security budgets and cybersecurity staff hard to come by, burnt out or resigning, quality over quantity matters more than ever, especially as disinformation attacks can always have ulterior intents.

Always keep in mind, the purpose of a disinformation attack could be to send you astray. Those security operations center alerts or dark web chatter may be solely designed to get you to act, perhaps to force the activation of your crisis management plan. The threat may be a ruse so the actor can see what your response is, to study you and to prey on your emotions and use social engineering. That’s why you need to slow down, verify what you see, develop confidence and make good decisions based on that confidence. Otherwise, you may be walking into a trap. Or put another way: filter out the noise.

Let’s summarize. CISOs:

  1. Learn how to spot misinformation and disinformation. They are different and have different intentions that impact your response.

  2. Strive to be better, not have more. It’s no different than having too many technical tools. Tools need to be configured properly to have utility. Combating disinformation is no different.

  3. Slow down and manage your resources better. Develop confidence in assets of all types: people, technology, vendors and, of course, information.

  4. Be critical. Trusting a source has never been more difficult, meaning you have to develop some of your own capabilities. If you cannot verify information and sources on your own without a good degree of confidence or hard data, you may be going down a rabbit hole that you can’t come out of. Having a cautious and inquisitive approach to the information you are receiving is not a bad thing these days…

…and that even includes this article.

More from Data Protection

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today