Employees who believe disinformation are more susceptible to social engineering and phishing campaigns, and attackers know it.
As we enter quarter four of 2021, the idea of disinformation as a cyber threat probably hasnโt percolated to the forefront of concerns of many CISOs. Indeed, a Venn diagram would show no overlap of โdisinformationโ with the words โCISOโ or โcyber threat,โ especially in the United States. Yet there is a significant overlap here, and CISOs will be well served to get ahead of the curve.
A few companies have identified disinformation as a threat. Recorded Future CSO Gavin Reid notes how some activist CEOs are taking steps to address the politicization of disinformation, as companies look to third parties to better understand how to counter the arrival of disinformation pointed at their entity or influencing employee actions.
CISOโs challenge re disinformation
This perspective is shared by Armaan Mahbod, director, counter insider threat, security and business intelligence at DTEX Systems. โThe sharing of disinformation/ misinformation happens all the time, whether or not there are positive or negative intentions and outcomes behind the act,โ he says. โItโs challenging for executives and organizations to refute the information because oftentimes they donโt have visibility into what even might be being shared, so theyโre unaware that thereโs a need for a response.โ
โOn top of a lack of visibility, many organizational leaders are struggling to answer basic questions about their business and their team as it is, including: Who are my employees and where are they? How does my business actually function? How active is business (i.e., regionally, departmentally, etc.)? On top of the thousand other more nuanced and granular questions surrounding companies that play into an orgโs overall cybersecurity posture,โ Mahbod continues.
Adam Flatley, director of threat intelligence at Redacted, sees the CISOโs challenge wrapped within how disinformation campaigns external to the organizations โdrive their victims to believe certain false narratives, drive wedges between them and those who provide contrary factual information, and get them addicted to information that feeds their confirmation bias.โ
Flatley continues that โthe next-level danger for a CISO is when that addiction to information feeding confirmation bias really sinks its hooks into victims (employees). It makes them more likely to click on phishing emails, text message links, and other types of lures which are tailored to the theme they hunger for, which can lead to stolen credentials or direct exploitation.โ
Disinformation feeds social engineering opportunities
Then there is the area of social engineering for which the individual employee must be prepared to deflect and for which the CISO must be prepared. Malicious actors are watching the disinformation firestorms, be they on global topics or topics unique to a given entity, and these miscreants then, โbuild personas to foster online relationships with their victims. They feed them information that not only manipulates them, but builds trust, which leads them to naturally visit websites sent to them by their โtrue believer friend.โ It establishes a comradery that would make victims more likely to open files sent to them, which could contain malware,โ warns Flatley. โIn effect, before victims even take the step to being a witting insider threat, they could be used to compromise the network totally unwittingly, which is much easier for a threat actor to do than to truly recruit a malicious insider.โ
This observation is also shared by Elsine Van Os, founder and CEO of Signpost Six, who notes that the affinity for a confirmatory narrative will make employees vulnerable to โclick on emails of interest to them and with that unintentionally opening the door for malware into their organization.โ
Change as a portal to localized disinformation
Change is another area of concern where internal messaging can and often does go sideways, with rumors flying through an organization like lightning. Van Os remarked how โwith change (and some organizations go through continuous change) you often see inadequate communication, incomplete inaccurate or untimely information and then misunderstanding.โ
Van Os continued how the CISOs are challenged to manage the insider risk when management, for whatever reason, has a workforce who is facing โunmet expectations are a key stress/risk factor on the critical pathway to insider risk and this is especially the case during reorgs. Itโs very difficult for an organization to navigate this issue as sometimes there are just no satisfactory outcomes for employees, so youโll need to manage the risk on the back end.โ
Noting that Forrester is predicting growth in insider risk management challenges for 2021, Van Os believes CISOS โneed to be joined at the hip with HR, especially as weโre seeing this great resignation. So many people are leaving, and the vast majority take sensitive data with them.โ
When disinformation is found
When faced with the dilemma of false information permeating oneโs entity, โIt is crucial that executives and businesses have a clear understanding of how they operate, so they can not only comprehend their own companyโs behaviors, but also communicate with confidence to their employees and to their investors/board that they have data to support their statement,โ says Mahbod. โThis requires, high fidelity data to be available to back up commentary with empirical information which answer the questions, be they articulated or assumed.โ
