How Disinformation Affects CISOs

35
disinformation affects CISOs

Disinformation of any kind ends up undermining the organization’s brand, reputation, and customer loyalty

CISOs clarify that disinformation in the industry can influence the C-suite executives, clients, and end-users alike. Tackling disinformation effectively is one of the additional responsibilities added to the list of roles handled by CISOs in the pandemic and post-pandemic world.

Disinformation is not conventionally associated with the IT industry, but it is a major cybersecurity issue and has been regularly used for brand value and reputation destruction to start conflict and divisiveness internally among the employees. It has been utilized as social engineering bait and ransomware, where if the receiver needs the disinformation campaign to stop, they are required to pay.

Security leaders explain that the tactic is used by criminals, hacker groups, and even national groups. Security teams are best equipped to develop the relevant tools needed to mitigate disinformation. It is possible as these teams have the needed experience in protecting enterprises against security attacks at scale.

CIOs say that if InfoSec personnel believe that disinformation isn’t a valid factor, they are deluding themselves and the organization. It is imperative to acknowledge its presence and develop a guideline to mitigate potential attacks. Gradually disinformation has become the choice weapon or attack vector for cyber-criminals, activists, nation-state hacker groups, and all sorts of rivals.

Read More: The Significance of Data Security in the New Normal

Distributed Denial of Service attacks (DDoS) has been the strongest tactic for hackers. CIOs say that even a single conspiracy theory or a rumor could damage the reputation built over the years. Organizations are left fighting to rebuild their brand. Trying to understand which requests coming to the website are authentic and which merely checking if the rumors or conspiracy theory was true, is a time and money consuming exercise.

Security leaders say that disinformation needn’t necessarily come from external sources only. Even wrong security advice to the staff and clients, like illogical advice on remembering/creating passwords rather than using a password manager, will come under disinformation.

CIOs clarify that such disinformation may often appear to be trivial or not particularly malicious, but the knock-on effect can be devastating in the long run. A CISO’s role does not end at securing technology alone; it extends to people and processes. Extended disinformation can lead to death by a thousand wounds/cuts.

Even ransomware incidents have used disinformation. Clients would receive emails regarding stolen and encrypted data with the ransom demand. The situation by itself is disturbing, even if the mail may be true. Still, there’s always a possibility that the attacks are trying to exhort money by making false claims of having stolen and encrypted data.

Such false communications prove to be a challenge for CISOs; they are pushed to the back foot in such situations. Each incident reporting requires accurate validation if the breach has occurred or not, and if true, what data was stolen. They must inform clients and come to a common consensus on what steps are needed to rectify the situation and discuss with PR agencies, legal counsel, and stakeholders. The issue mushrooms into a wide-scale situation that involves many different domains, of which the technical department is a very small component.

Read More: IT Security Threats are taking a higher Toll than Ever

CISOs believe that fighting disinformation will be the biggest challenge faced by them in the post-pandemic environment. They will need to decide on effective communication with the clients, employees, and the public in general rather than only the executive board.

Many C-suite leaders think that radical transparency will be the best solution. In a cyber-security incident or a breach, the enterprise should control the incident and take proactive measures. General rules applied to phishing campaigns will be useful to avoid disinformation attacks.