As if chief information security officers (CISOs) did not have enough to deal with, add one more issue to their plates: information warfare. These operations now target private and non-governmental entities almost as often as they involve world powers. That’s why it’s more important than ever to know the difference between misinformation and disinformation — and how to stop them both.

Information wars are old. They date back millennia, as does the strategy of deception in warfare. Despite the age and use of disinformation, we’ve seen a recent uptick in discussion on the subject. Run a small experiment: perform an internet search for material from before 2016 on the word “disinformation” and see how many fewer results there are than what you’d find today. You’ll find first-page results with publish dates spanning the 2010s. Go a couple of pages in and you may see references to books from the 80s and 90s. Search that term today, though, and it takes quite a few clicks to find something that wasn’t written in 2021.

Why the uptick? More information, for one. It does not matter if it is credible or not. It’s out there. The information age means almost anyone can become a publisher. Blogs are cheap to maintain, content creators are seeing returns on investments, advertisers are enjoying click-through revenue and social media is an amplifier. All these are good things. And they also come with noise.

Cutting Through the Noise

Two sets of ideas can help CISOs discover and limit information campaigns against their organization. And while these appear similar, they are distinctly different.

Misinformation Versus Disinformation

These are pretty easy to tell apart in simple terms but are also easily confused or used inappropriately. Misinformation is usually wrong information, that when released, at least at first, has benign intent. It’s possible you have said or have had said to you, “You have been misinformed”. CISOs need to watch out for intent. We’ll examine that in a bit more detail shortly.

On the other hand, disinformation is malicious by design. It may be a well-crafted lie, but lies have a way of falling apart, especially over time. The most insidious type of disinformation is the type seeded with ‘the kernel of truth’. The lie is built around something that is proven to be true, therefore giving the disinformation campaign an appearance of credibility.

A perfect example to illustrate this is the use of deepfakes. A deepfake of an influential person saying something ridiculous may be quickly proven to be a lie. The disinformation campaign unravels very quickly. But a deepfake that only makes minor changes to an otherwise true event can slip under the radar.

Information Superiority Versus Information Dominance

Of course, technology can help spot anomalies, but combating disinformation is only part science.  Plenty of art is involved, and that is where the second set of ideas comes into play: superiority and dominance.

Think of superiority as having more information, whereas dominance is being able to do more with the information you have, even if it is less in terms of quantity. You are being smarter about how you use it.

Building Confidence Into Your Assessment

Tying these two sets of ideas together is where CISOs can work some magic. The key is to establish confidence in your assessment. Let’s use an example to demonstrate how you can do this.

As a CISO, you may trust a vendor will provide timely threat intelligence reports and meet their service-level agreement requirements. You even have a great working relationship with them. But there is one problem: you do not have confidence in their work product, for whatever the reasons (dated, errors, etc.). Paradoxically though, it is unlikely you would trust a darknet persona, but what if this persona has produced high-quality information with consistency? In this case, you would have confidence in their product.

This is nuanced, so often gets missed. But it is vital to filter out misinformation and combat disinformation. So, how do you use the two sets of ideas above to build confidence?

First, develop a mechanism that allows you to spot the benign from the malicious. There is no one-size-fits-all approach here due to industry-specific language, and nobody knows your industry better than you. Look for nuances in language and information feeds. Spot qualifiers, usually a good tell that something may be off. In other words, focus on signal, not noise.

You see, by going through this exercise you use your industry-specific knowledge (dominance) to filter out the noise, which should lead you to intent: mistake or deliberate, or misinformation versus disinformation.

The next point is crucial. CISOs, slow down and take this saying to heart. Slow is smooth and smooth is fast.

How to Make Good Decisions In the Age of Disinformation

With data security budgets and cybersecurity staff hard to come by, burnt out or resigning, quality over quantity matters more than ever, especially as disinformation attacks can always have ulterior intents.

Always keep in mind, the purpose of a disinformation attack could be to send you astray. Those security operations center alerts or dark web chatter may be solely designed to get you to act, perhaps to force the activation of your crisis management plan. The threat may be a ruse so the actor can see what your response is, to study you and to prey on your emotions and use social engineering. That’s why you need to slow down, verify what you see, develop confidence and make good decisions based on that confidence. Otherwise, you may be walking into a trap. Or put another way: filter out the noise.

Let’s summarize. CISOs:

  1. Learn how to spot misinformation and disinformation. They are different and have different intentions that impact your response.

  2. Strive to be better, not have more. It’s no different than having too many technical tools. Tools need to be configured properly to have utility. Combating disinformation is no different.

  3. Slow down and manage your resources better. Develop confidence in assets of all types: people, technology, vendors and, of course, information.

  4. Be critical. Trusting a source has never been more difficult, meaning you have to develop some of your own capabilities. If you cannot verify information and sources on your own without a good degree of confidence or hard data, you may be going down a rabbit hole that you can’t come out of. Having a cautious and inquisitive approach to the information you are receiving is not a bad thing these days…

…and that even includes this article.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today