From Departments of War to the Basement Next Door: The AI-Disinformation Threat to Companies

A firm’s reputation is one of the most accessible points of attack for disinformation campaigns. In the age of emerging AI technology and complex algorithms, protecting your company’s reputation requires a carefully considered compliance program that accounts for emerging disinformation threats.

The National Institute of Standards and Technology defines disinformation as the “process of providing deliberately deceptive information to adversaries to mislead or confuse them regarding the security posture of the system or organization or the state of cyber preparedness.”

Originally dubbed maskirovka, early modern disinformation grew into the perfected art of “reflexive control” developed in the early days of the Soviet Union to condition the reactions of Russia’s enemies and help Moscow achieve its goals. Until recently, disinformation campaigns required journalists, faked publications and even bogus radio broadcasts.

The emergence of AI technology, coupled with the increased influence of social media channels, has accelerated the evolution of disinformation into an easily accessible weapon that can quickly influence public opinion. While nations still participate in disinformation campaigns, criminal gangs and individuals can launch targeted attacks. In fact, there are even disinformation-as-a-service providers available to manage disinformation campaigns for a price.

New generative AI models like ChatGPT and Claude can draft convincing copy, while AI image creators can develop hyper-realistic fictional images. In the wrong hands, these cutting-edge tools can create compelling content to maliciously target virtually any brand with harmful disinformation maliciously, ultimately impacting a company’s bottom line. This was certainly the case when the S&P 500 took a stumble after bad actors produced and circulated fake images depicting an attack on the Pentagon in 2023.

Importantly, inaccurate rumors, false accusations or misleading information can tarnish a company’s image and erode customer loyalty, creating a reputational management nightmare.

Disinformation attack methodology

The U.S. Cybersecurity & Infrastructure Security Agency has recognized the emerging threat and determined that bad actors utilize the following tactics to spread disinformation:

• Cultivating fake or misleading personas and websites
• Creating deep fakes and synthetic media
• Devising or amplifying conspiracy theories
• Astroturfing and flooding the information environment
• Abusing alternative platforms
• Exploiting information gaps
• Manipulate unsuspecting actors
• Spreading targeted content

While the federal government primarily focuses on the disinformation threat to national security, bad actors can quickly adopt the same techniques to attack companies for financial gain.

Unlike traditional hacking, disinformation percolates in the form of sentiment and mindset. In the age of social media, disinformation can go viral within minutes and negative publicity can lead to a sharp decline in public trust. Inaccurate rumors, false accusations or misleading information can tarnish a company’s image and erode customer loyalty. Ultimately, this can impact a company’s bottom line.

Risk management and how to respond

Benjamin Franklin is credited with coining the expression that an “ounce of prevention is worth a pound of cure.” Rather than illness, Franklin was talking about risk. Like any risk, you can prepare for and mitigate your exposure to attacks by employing a robust risk management program that accounts for disinformation risk. This is now an essential part of business resiliency planning. 

Having a disinformation risk mitigation plan in place with key individuals identified to respond is an essential first step that will allow your company to protect your hard-earned reputational value. In addition, early identification of emerging threats can place your company in a stronger position to mitigate emerging risks. Here are some key steps to developing a disinformation risk mitigation plan:

Understand your company’s risk profile

Mitigating disinformation damage requires developing a risk profile of your company. This assessment should focus on mapping out where threats may arise and how you may be targeted. Establishing a baseline risk profile requires knowing your vulnerabilities and identifying the types of attacks that can impact your company.  

Provide a training program that includes education on identifying emerging disinformation risks

Once you map out your risk profile, educating your team on the risks and how to spot an attack is important. As disinformation campaigns can arise in multiple venues, having more team members capable of identifying threats increases your defenses. Importantly, the training program should provide a centralized point of contact to review any threats identified.

Develop a response and recovery plan

Once an attack is identified, your company must decide how best to respond. This requires looping in key personnel capable of assessing the public relations dynamics tied to protecting your firm’s reputation.

How you respond to disinformation matters. You do not want to give more coverage than necessary to the threat. In fact, it may be beneficial not to acknowledge the disinformation and instead re-emphasize your company’s core values. This requires careful consideration on a case-by-case basis.

In addition, it is essential to understand the scale and source of the attack. This will allow you to loop in the right partners to assist, including, in some cases, federal or local law enforcement. A best practice is to perform an open-source intelligence-based investigation to understand the true scale of the threat. This is accomplished through collecting and analyzing publicly available information. 

Conduct ongoing threat monitoring 

Identifying emerging threats early will place your company in a stronger position to respond. This requires monitoring various channels for unusual activity, particularly within social media, chat boards and even the dark web. The key is to go beyond traditional media headlines. Robust monitoring services are now available to assist with spotting disinformation threats, similar to how other types of cyber threats are identified.  

Solving the crisis before it starts

A robust disinformation risk mitigation plan, including active monitoring and a full response and recovery plan, will place your company in a stronger position to mitigate emerging threats and ensure your firm’s resiliency in the event of a disinformation attack. From an operations standpoint, your company’s compliance or risk team is well-positioned to implement your strategy effectively and consolidate firm resources to combat disinformation threats.