Employees who believe in misinformation are more vulnerable to social engineering and phishing attacks, and attackers are aware of this.
As we enter the fourth quarter of 2021, the concept of misinformation as a cyber threat is unlikely to have reached the top of many CISOs’ priority lists. Indeed, a Venn diagram would reveal a little overlap between the phrases “disinformation” and “CISO” or “cyber danger,” particularly in the United States. However, there is tremendous overlap here, and CISOs would be well served to stay ahead of the curve.
Disinformation has been cited as a danger by a few corporations. Future CSO was recorded According to Gavin Reid, some activist CEOs are taking efforts to confront the politicization of misinformation, as corporations seek to third parties to better understand how to prevent the introduction of disinformation directed at their entity or influencing staff activities.
The CISO’s Disinformation Challenge
Armaan Mahbod, director of counter-insider threat, security, and business intelligence at DTEX Systems, agrees. “Whether there are positive or bad intents and consequences behind the act, the dissemination of disinformation/misinformation occurs all the time,” he argues. “It’s difficult for CEOs and companies to reject the material because they frequently don’t have visibility into what could be revealed, so they’re unaware that a reaction is required.”
In addition to a lack of visibility, many organizational leaders are already failing to answer fundamental questions about their business and team, such as: Who are my people and where are they?” How does my company work? How active is your business (regionally, by department, etc.)? On top of the thousand other more complex and specific concerns about firms that factor into an organization’s overall cybersecurity posture,” Mahbod says.
The CISO’s challenge, according to Adam Flatley, director of threat intelligence at Redacted, is wrapped up in how external disinformation campaigns “drive their victims to believe certain false narratives, drive wedges between them and those who provide contrary factual information, and get them addicted to information that feeds their confirmation bias.”
The next-level threat for a CISO is when that addiction to information fueling confirmation bias digs its claws into victims,” Flatley writes (employees). It increases their proclivity to click on phishing emails, text message links, and other sorts of baits customized to the topic they seek, which can result in stolen credentials or direct exploitation.
Disinformation creates opportunities for social engineering.
Then there’s the issue of social engineering, which the individual employee must be prepared to deflect, as well as the CISO. Malicious actors are monitoring misinformation firestorms, whether they are global or specific to a certain entity, and these miscreants then “create identities to nurture online connections with their victims.” They give them information that not only manipulates them but also generates trust, which naturally encourages them to visit websites recommended by their ‘true believer buddy.’ It fosters a sense of community, making victims more inclined to open files shared to them that may contain malware,” cautions Flatley. “In effect, before victims even consider becoming a malicious insider threat, they might be utilized to accidentally compromise the network, which is considerably easier for a threat actor to accomplish than to recruit a bad insider.
Elaine Van Os, founder and CEO of Signpost Six, agrees, noting that workers’ need for a confirming narrative may leave them prone to “clicking on emails of interest to them and thereby unknowingly opening the door for malware into their business.”
Change as a conduit for deception on a local scale
Another area of worry is change, where internal communications may and frequently do go awry, with rumours flowing through a company like lightning. “With change (and some businesses go through constant change), you often witness poor communication, incomplete, erroneous, or delayed information, and eventually misunderstanding,” Van Os observed.
Van Os went on to say that CISOs are challenged to manage insider risk when management, for whatever reason, has a workforce that has “unmet expectations, which are a significant stress/risk element on the important road to insider risk, and this is especially true during reorgs.” It is quite tough for a business to handle this issue since there are sometimes no good results for employees. Therefore, you will need to manage the risk on the back end.”
Noting that Forrester predicts an increase in insider risk management difficulties in 2021, Van Os feels CISOS “need to be linked at the hip with HR, especially with this great departure.” There are so many individuals going, and the great majority of them take critical data with them.”
When misinformation is discovered
When confronted with the dilemma of false information permeating one’s entity, it is critical that executives and businesses have a clear understanding of how they operate, so they can not only comprehend their own company’s behaviours but also communicate with confidence to their employees and their investors/board that they have data to support their statement,” Mahbod says. “This necessitates the availability of high-fidelity data to back up the commentary with actual evidence that answers the queries, whether voiced or implied.
UK Cyber Security Ltd is here to help
Please check out our Cyber Essentials Checklist
Please check out our Free Cyber Insurance
If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks. Or just get in touch by clicking contact us