Whenever we hear about disinformation or fake news, most of us will either imagine elections, the undermining of democracy, or big faceless social media corporations doing anything to make some money.
So, the question is, while disinformation may play a role in influencing individuals, does a CISO have to worry about disinformation at the organizational level? With all the other plates a CISO must keep spinning, is disinformation really another thing they want to add to their list of responsibilities? Unfortunately, it appears that there is little choice in the matter.
Otavio Freire, CTO at Safeguard Cyber says: “Disinformation is a cybersecurity issue. It has already been used as a means for brand value destruction to create divisiveness and conflict within a company's employees, used as a social engineering lure, and as a form of ransomware; where if you want the disinfo to stop, you need to pay.
“It is deployed against the company by hacker groups, criminals, and even nation-states. Security organizations are best equipped to build the right tools to fight disinformation since they have experience in defending the company against attacks at scale.”
Quentyn Taylor, director of information security at Canon Europe added to this, “If we as an infosec community believe that disinformation isn’t a thing, then we are deluding ourselves as we ultimately guide and set policy for organizations.”
It’s hard to disagree with Otavio and Quentyn, as all the evidence points towards disinformation becoming a standard tool of nation-state actors, cyber-criminals, activists, and all manner of competitors.
Distributed Denial of Service (DDoS) attacks have been a common tactic by criminals for many years. But as Wayfair discovered, all it took for one conspiracy theory to take hold, and the organization suddenly found itself having to fight for its reputation and try to ascertain which requests hitting their website were legitimate requests versus those looking to see if there was indeed any truth to the rumours.
Even on a small scale, disinformation can be annoying according to Shan Lee, CISO at Transferwise, “The type of disinformation that annoys/worries me is poor security advice, to staff (if it gets past my team) and in particular to customers. Especially stupid advice around how to create/remember passwords instead of just using a password manager.”
Shan touches on an important issue. Although this kind of disinformation may not be entirely malicious, and it may seem trivial, the knock on effect of such can be far reaching. A CISO is not just responsible for securing technology, but also processes and people. Disinformation over a long period of time can result in a death by a thousand cuts.
A common tactic of criminals peddling ransomware is to steal data before encrypting it. Recently, a private psychotherapy clinic in Finland was hacked, and the therapist notes of potentially 40,000 patients were stolen. The attacker then proceeded to email the victims, asking each for €200 ransom in Bitcoin.
This on its own is a terrifying prospect for organizations and their customers, and while in this case it may be true, it’s not too difficult to imagine a scenario where attackers can claim to have breached an organization and try to extort money from the organization, its partners, and customers.
This becomes quite the challenge for a CISO. In such circumstances, they are immediately put on the back foot. They have to validate whether a breach has actually occurred or not, and if so, what data was stolen. Notify regulators, inform customers, agree what the best course of action is with stakeholders, brief PR agencies, and discuss it with the legal council. It becomes a wide-scale issue involving many different disciplines of which the technical side forms but a small component.
Fighting disinformation may be one of the biggest challenges that CISOs will face in the coming months and years. We spent much of the last decade seeing talks about how CISOs should talk to the board, but in the coming times, we’ll likely see the communication requirements expand and discuss how the CISO should communicate with everybody, not just the board. This includes employees, partners, stakeholders, the press, and the public at large.
In terms of defenses, radical transparency would appear to be the order of the day. If there’s a breach, or an incident, CISOs should not let bad guys or circumstances dictate the story. They need to get ahead of the game and lay out the narrative.
Quentyn added that we should take the advice we give to users around phishing, and apply it to a wider context. “Be aware of the source, be aware that people lie, ask yourself is this too good to be true?”