As if chief information security officers (CISOs) did not have enough to deal with, add one more issue to their plates: information warfare. These operations now target private and non-governmental entities almost as often as they involve world powers. That’s why it’s more important than ever to know the difference between misinformation and disinformation — and how to stop them both.

Information wars are old. They date back millennia, as does the strategy of deception in warfare. Despite the age and use of disinformation, we’ve seen a recent uptick in discussion on the subject. Run a small experiment: perform an internet search for material from before 2016 on the word “disinformation” and see how many fewer results there are than what you’d find today. You’ll find first-page results with publish dates spanning the 2010s. Go a couple of pages in and you may see references to books from the 80s and 90s. Search that term today, though, and it takes quite a few clicks to find something that wasn’t written in 2021.

Why the uptick? More information, for one. It does not matter if it is credible or not. It’s out there. The information age means almost anyone can become a publisher. Blogs are cheap to maintain, content creators are seeing returns on investments, advertisers are enjoying click-through revenue and social media is an amplifier. All these are good things. And they also come with noise.

Cutting Through the Noise

Two sets of ideas can help CISOs discover and limit information campaigns against their organization. And while these appear similar, they are distinctly different.

Misinformation Versus Disinformation

These are pretty easy to tell apart in simple terms but are also easily confused or used inappropriately. Misinformation is usually wrong information, that when released, at least at first, has benign intent. It’s possible you have said or have had said to you, “You have been misinformed”. CISOs need to watch out for intent. We’ll examine that in a bit more detail shortly.

On the other hand, disinformation is malicious by design. It may be a well-crafted lie, but lies have a way of falling apart, especially over time. The most insidious type of disinformation is the type seeded with ‘the kernel of truth’. The lie is built around something that is proven to be true, therefore giving the disinformation campaign an appearance of credibility.

A perfect example to illustrate this is the use of deepfakes. A deepfake of an influential person saying something ridiculous may be quickly proven to be a lie. The disinformation campaign unravels very quickly. But a deepfake that only makes minor changes to an otherwise true event can slip under the radar.

Information Superiority Versus Information Dominance

Of course, technology can help spot anomalies, but combating disinformation is only part science.  Plenty of art is involved, and that is where the second set of ideas comes into play: superiority and dominance.

Think of superiority as having more information, whereas dominance is being able to do more with the information you have, even if it is less in terms of quantity. You are being smarter about how you use it.

Building Confidence Into Your Assessment

Tying these two sets of ideas together is where CISOs can work some magic. The key is to establish confidence in your assessment. Let’s use an example to demonstrate how you can do this.

As a CISO, you may trust a vendor will provide timely threat intelligence reports and meet their service-level agreement requirements. You even have a great working relationship with them. But there is one problem: you do not have confidence in their work product, for whatever the reasons (dated, errors, etc.). Paradoxically though, it is unlikely you would trust a darknet persona, but what if this persona has produced high-quality information with consistency? In this case, you would have confidence in their product.

This is nuanced, so often gets missed. But it is vital to filter out misinformation and combat disinformation. So, how do you use the two sets of ideas above to build confidence?

First, develop a mechanism that allows you to spot the benign from the malicious. There is no one-size-fits-all approach here due to industry-specific language, and nobody knows your industry better than you. Look for nuances in language and information feeds. Spot qualifiers, usually a good tell that something may be off. In other words, focus on signal, not noise.

You see, by going through this exercise you use your industry-specific knowledge (dominance) to filter out the noise, which should lead you to intent: mistake or deliberate, or misinformation versus disinformation.

The next point is crucial. CISOs, slow down and take this saying to heart. Slow is smooth and smooth is fast.

How to Make Good Decisions In the Age of Disinformation

With data security budgets and cybersecurity staff hard to come by, burnt out or resigning, quality over quantity matters more than ever, especially as disinformation attacks can always have ulterior intents.

Always keep in mind, the purpose of a disinformation attack could be to send you astray. Those security operations center alerts or dark web chatter may be solely designed to get you to act, perhaps to force the activation of your crisis management plan. The threat may be a ruse so the actor can see what your response is, to study you and to prey on your emotions and use social engineering. That’s why you need to slow down, verify what you see, develop confidence and make good decisions based on that confidence. Otherwise, you may be walking into a trap. Or put another way: filter out the noise.

Let’s summarize. CISOs:

  1. Learn how to spot misinformation and disinformation. They are different and have different intentions that impact your response.

  2. Strive to be better, not have more. It’s no different than having too many technical tools. Tools need to be configured properly to have utility. Combating disinformation is no different.

  3. Slow down and manage your resources better. Develop confidence in assets of all types: people, technology, vendors and, of course, information.

  4. Be critical. Trusting a source has never been more difficult, meaning you have to develop some of your own capabilities. If you cannot verify information and sources on your own without a good degree of confidence or hard data, you may be going down a rabbit hole that you can’t come out of. Having a cautious and inquisitive approach to the information you are receiving is not a bad thing these days…

…and that even includes this article.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…