How disinformation creates insider threats

As we enter quarter four of 2021, the idea of disinformation as a cyber threat probably hasn’t percolated to the forefront of concerns of many CISOs. Indeed, a Venn diagram would show no overlap of “disinformation” with the words “CISO” or “cyber threat,” especially in the United States. Yet there is a significant overlap here, and CISOs will be well served to get ahead of the curve.

A few companies have identified disinformation as a threat. Recorded Future CSO Gavin Reid notes how some activist CEOs are taking steps to address the politicization of disinformation, as companies look to third parties to better understand how to counter the arrival of disinformation pointed at their entity or influencing employee actions.

CISO’s challenge re disinformation

This perspective is shared by Armaan Mahbod, director, counter insider threat, security and business intelligence at DTEX Systems. “The sharing of disinformation/ misinformation happens all the time, whether or not there are positive or negative intentions and outcomes behind the act,” he says. “It’s challenging for executives and organizations to refute the information because oftentimes they don’t have visibility into what even might be being shared, so they’re unaware that there’s a need for a response.”

“On top of a lack of visibility, many organizational leaders are struggling to answer basic questions about their business and their team as it is, including: Who are my employees and where are they? How does my business actually function? How active is business (i.e., regionally, departmentally, etc.)? On top of the thousand other more nuanced and granular questions surrounding companies that play into an org’s overall cybersecurity posture,” Mahbod continues.

Adam Flatley, director of threat intelligence at Redacted, sees the CISO’s challenge wrapped within how disinformation campaigns external to the organizations “drive their victims to believe certain false narratives, drive wedges between them and those who provide contrary factual information, and get them addicted to information that feeds their confirmation bias.”

Flatley continues that “the next-level danger for a CISO is when that addiction to information feeding confirmation bias really sinks its hooks into victims (employees). It makes them more likely to click on phishing emails, text message links, and other types of lures which are tailored to the theme they hunger for, which can lead to stolen credentials or direct exploitation.”

Disinformation feeds social engineering opportunities

Then there is the area of social engineering for which the individual employee must be prepared to deflect and for which the CISO must be prepared. Malicious actors are watching the disinformation firestorms, be they on global topics or topics unique to a given entity, and these miscreants then, “build personas to foster online relationships with their victims. They feed them information that not only manipulates them, but builds trust, which leads them to naturally visit websites sent to them by their ‘true believer friend.’ It establishes a comradery that would make victims more likely to open files sent to them, which could contain malware,” warns Flatley. “In effect, before victims even take the step to being a witting insider threat, they could be used to compromise the network totally unwittingly, which is much easier for a threat actor to do than to truly recruit a malicious insider.”

This observation is also shared by Elsine Van Os, founder and CEO of Signpost Six, who notes that the affinity for a confirmatory narrative will make employees vulnerable to “click on emails of interest to them and with that unintentionally opening the door for malware into their organization.”

Change as a portal to localized disinformation

Change is another area of concern where internal messaging can and often does go sideways, with rumors flying through an organization like lightning. Van Os remarked how “with change (and some organizations go through continuous change) you often see inadequate communication, incomplete inaccurate or untimely information and then misunderstanding.”

Van Os continued how the CISOs are challenged to manage the insider risk when management, for whatever reason, has a workforce who is facing “unmet expectations are a key stress/risk factor on the critical pathway to insider risk and this is especially the case during reorgs. It’s very difficult for an organization to navigate this issue as sometimes there are just no satisfactory outcomes for employees, so you’ll need to manage the risk on the back end.”

Noting that Forrester is predicting growth in insider risk management challenges for 2021, Van Os believes CISOS “need to be joined at the hip with HR, especially as we’re seeing this great resignation. So many people are leaving, and the vast majority take sensitive data with them.”

When disinformation is found

When faced with the dilemma of false information permeating one’s entity, “It is crucial that executives and businesses have a clear understanding of how they operate, so they can not only comprehend their own company’s behaviors, but also communicate with confidence to their employees and to their investors/board that they have data to support their statement,” says Mahbod. “This requires, high fidelity data to be available to back up commentary with empirical information which answer the questions, be they articulated or assumed.”