In countries across the world, the rapid growth of social media giants such as Facebook, Twitter and You Tube as a way we consume news and process events has driven a significant escalation in dis-and misinformation in countries across the world. This context has been exacerbated by recent COVID-restrictions which has resulted in more people spending time on the internet and reading and sharing conspiracy theories and opinions or information which is not fact-checked.

The recent Capitol insurrection in Washington DC saw many of those who occupied the building describing themselves as “freedom fighters” and “patriots” who were protecting the country from a “deep state” and stolen election, but without any credible evidence to support their narrative. 

In the US, and increasingly across Europe and the UK, the baseless QAnon Conspiracy movement – which suggests President Trump is protecting the world from a pedophilia ring made up of Democrats and Jews has grown rapidly in membership since the contentious U.S. presidential election and some members have shown intent to conduct violent attacks.

The rapid spread of dis- and misinformation has the potential to change the full spectrum of security risk management from how we as risk manager consumer information to how we protect staff, information and assets.

Disinformation is impacting risk managers in the following ways:

1. The information that we rely on. Risk managers need reliable information to make difficult and consequential decisions. With increasingly disputed information flows – and often a reliance on intelligence firms which consume social media feeds – it becomes increasingly challenging to know how to weigh information.
2. The threats we face. How your organization or business reacted publicly – and through its senior staff – to the January 6, 2021 events on Capitol Hill, for example, could determine whether you become at increased risk from a threat group. We are increasingly in a spectrum where populations are split in what information and news they accept. The public footprint your organization takes will increasingly need to be built into existing ERM toolkits. This includes the way in which your staff communicates online while there are not at work.
3. When cyberattacks become a disinformation catastrophe. There is growing fear among security professionals about the potential for cyber actors to steal sensitive or embarrassing information, change it slightly, and release it online. Such actions could see a company’s share price crash, and key executives’ reputations ruined. This would make it almost impossible for organizations to defend themselves in terms of their disinformation response.
4. The growing popularity of deep-fakes and cheap-fakes. Increasingly organizations will need to enhance their monitoring and information capacity to find out whether there are profiles of senior executives or their organization online.

Risk mitigation and governance

The advent of emerging and consequential risk requires organizational changes to help manage it.

Security teams need to ensure they employ staff adept at determining opinion from fact. This will help in ensuring that decisions made by risk managers are commensurate with reliable and sourced information. Such a skillset can play an important role in becoming envoys with any intelligence providers to ensure that their sourcing is rigorous, consistent and not open to misinterpretation.

The governance of disinformation needs to be included within organizations’ ERM framework to ensure that incidents are consistently measured, and any mitigation or crisis response is coordinated with other aspects of an organization such as communications or IT. An important consideration is that different components of organizations meet regularly and ask tough questions on preparedness efforts to ensure during times of crisis, communication is smooth, and information not siloed.

Finally, the response to dis- and misinformation will likely become a critical function. Crisis communication remains an area where improvements can be made across many large organizations, entities and businesses. Increasingly there is a need for skillsets which encompass risk management and public relations learned and improved.