As if chief information security officers (CISOs) did not have enough to deal with, add one more issue to their plates: information warfare. These operations now target private and non-governmental entities almost as often as they involve world powers. That’s why it’s more important than ever to know the difference between misinformation and disinformation — and how to stop them both.

Information wars are old. They date back millennia, as does the strategy of deception in warfare. Despite the age and use of disinformation, we’ve seen a recent uptick in discussion on the subject. Run a small experiment: perform an internet search for material from before 2016 on the word “disinformation” and see how many fewer results there are than what you’d find today. You’ll find first-page results with publish dates spanning the 2010s. Go a couple of pages in and you may see references to books from the 80s and 90s. Search that term today, though, and it takes quite a few clicks to find something that wasn’t written in 2021.

Why the uptick? More information, for one. It does not matter if it is credible or not. It’s out there. The information age means almost anyone can become a publisher. Blogs are cheap to maintain, content creators are seeing returns on investments, advertisers are enjoying click-through revenue and social media is an amplifier. All these are good things. And they also come with noise.

Cutting Through the Noise

Two sets of ideas can help CISOs discover and limit information campaigns against their organization. And while these appear similar, they are distinctly different.

Misinformation Versus Disinformation

These are pretty easy to tell apart in simple terms but are also easily confused or used inappropriately. Misinformation is usually wrong information, that when released, at least at first, has benign intent. It’s possible you have said or have had said to you, “You have been misinformed”. CISOs need to watch out for intent. We’ll examine that in a bit more detail shortly.

On the other hand, disinformation is malicious by design. It may be a well-crafted lie, but lies have a way of falling apart, especially over time. The most insidious type of disinformation is the type seeded with ‘the kernel of truth’. The lie is built around something that is proven to be true, therefore giving the disinformation campaign an appearance of credibility.

A perfect example to illustrate this is the use of deepfakes. A deepfake of an influential person saying something ridiculous may be quickly proven to be a lie. The disinformation campaign unravels very quickly. But a deepfake that only makes minor changes to an otherwise true event can slip under the radar.

Information Superiority Versus Information Dominance

Of course, technology can help spot anomalies, but combating disinformation is only part science.  Plenty of art is involved, and that is where the second set of ideas comes into play: superiority and dominance.

Think of superiority as having more information, whereas dominance is being able to do more with the information you have, even if it is less in terms of quantity. You are being smarter about how you use it.

Building Confidence Into Your Assessment

Tying these two sets of ideas together is where CISOs can work some magic. The key is to establish confidence in your assessment. Let’s use an example to demonstrate how you can do this.

As a CISO, you may trust a vendor will provide timely threat intelligence reports and meet their service-level agreement requirements. You even have a great working relationship with them. But there is one problem: you do not have confidence in their work product, for whatever the reasons (dated, errors, etc.). Paradoxically though, it is unlikely you would trust a darknet persona, but what if this persona has produced high-quality information with consistency? In this case, you would have confidence in their product.

This is nuanced, so often gets missed. But it is vital to filter out misinformation and combat disinformation. So, how do you use the two sets of ideas above to build confidence?

First, develop a mechanism that allows you to spot the benign from the malicious. There is no one-size-fits-all approach here due to industry-specific language, and nobody knows your industry better than you. Look for nuances in language and information feeds. Spot qualifiers, usually a good tell that something may be off. In other words, focus on signal, not noise.

You see, by going through this exercise you use your industry-specific knowledge (dominance) to filter out the noise, which should lead you to intent: mistake or deliberate, or misinformation versus disinformation.

The next point is crucial. CISOs, slow down and take this saying to heart. Slow is smooth and smooth is fast.

How to Make Good Decisions In the Age of Disinformation

With data security budgets and cybersecurity staff hard to come by, burnt out or resigning, quality over quantity matters more than ever, especially as disinformation attacks can always have ulterior intents.

Always keep in mind, the purpose of a disinformation attack could be to send you astray. Those security operations center alerts or dark web chatter may be solely designed to get you to act, perhaps to force the activation of your crisis management plan. The threat may be a ruse so the actor can see what your response is, to study you and to prey on your emotions and use social engineering. That’s why you need to slow down, verify what you see, develop confidence and make good decisions based on that confidence. Otherwise, you may be walking into a trap. Or put another way: filter out the noise.

Let’s summarize. CISOs:

  1. Learn how to spot misinformation and disinformation. They are different and have different intentions that impact your response.

  2. Strive to be better, not have more. It’s no different than having too many technical tools. Tools need to be configured properly to have utility. Combating disinformation is no different.

  3. Slow down and manage your resources better. Develop confidence in assets of all types: people, technology, vendors and, of course, information.

  4. Be critical. Trusting a source has never been more difficult, meaning you have to develop some of your own capabilities. If you cannot verify information and sources on your own without a good degree of confidence or hard data, you may be going down a rabbit hole that you can’t come out of. Having a cautious and inquisitive approach to the information you are receiving is not a bad thing these days…

…and that even includes this article.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today