In this segment of Joseph Ours’ Forbes Technology Council column, Joseph discusses why you need to be talking about how AI and cybersecurity intertwine.
By 2028, businesses will allocate more than $30 billion to combat sophisticated information-based threats, analysts predict, drawing heavily from both cybersecurity and marketing budgets.
Many — if not most — organizations remain unprepared for the evolving threat of AI-powered deception.
Although the terms misinformation, disinformation and malinformation are often used interchangeably, they represent distinct threats. The biggest differentiator between misinformation and disinformation is intent.
Misinformation is information shared without intent to harm and is typically the result of a poorly informed person or group. Disinformation, however, represents false information that is deliberately created and shared to cause harm.
Malinformation, in a sense, is a combination of both. It is often based on fact but used out of context to mislead or manipulate a person or an organization. AI-generated malinformation, such as deepfakes, may be recontextualized or exaggerated from initially truthful statements or accurate events, which makes it even more dangerous. It’s unique in its complexity, as it can subtly leverage AI systems and human judgment, making it especially difficult to identify and combat.
Known collectively as “weaponized information,” misinformation, disinformation and malinformation are gaining traction and increasing the potential for harm through the use of sophisticated AI-powered tools.
While business leaders focus on conventional cybersecurity threats, critical conversations are being overlooked.
1. The New Accessibility Of Information Warfare
Most executives don’t realize how easily information threats can now be created. While Soviet-era disinformation required state-level resources and coordination, today’s threats can be generated by almost anyone with a standard computer and freely available AI tools.
This democratization of deception tools means threats can come from anywhere — disgruntled employees, competitors or opportunistic individuals — not just sophisticated state actors or cybercrime rings.
While business leaders and even IT teams tend to focus on data breaches, ransomware and backdoor attacks, information threats can be just as damaging. For example:
- An Indian restaurant in London was falsely accused of serving human meat on Facebook. As a result, the business’ revenue was cut in half.
- A furniture retailer was accused online of being part of a child trafficking ring, damaging its reputation; though proven to be false, accusations could still be found online a year later.
- A Canadian couple used web and social accounts to inflate the stock of companies (registration required) with small capitalizations, sold shares of those companies and profited $2.4 million.
2. The Legal Wild West
The second overlooked conversation is the near-complete absence of comprehensive legislation governing these technologies. With limited state regulations and no national or global framework, organizations are operating in a regulatory vacuum. This legal ambiguity makes it difficult for businesses to establish clear policies, enforce consequences, protect themselves from fraud and hold bad actors accountable.
3. The Expanding Gray Area
Perhaps the most uncomfortable conversation we’re avoiding, either because of its complexity or our reluctance to acknowledge our own vulnerabilities, is how these tools blur ethical lines, making previously clear violations feel more ambiguous.
The effectiveness of information threats isn’t just about technological sophistication. It’s rooted in human psychology. The human factor is crucial — 88 percent of data breaches are attributed to human error, and research shows that people are 70 percent more likely to share falsehoods than truth.
Smaller, more targeted and seemingly benign information threats against businesses aren’t just theoretical. They’re already impacting core business functions at organizations across the board, such as the following.
- HR And Hiring: Job candidates are using AI tools to conduct real-time transcriptions and generate expert responses to technical questions. The problem? Candidates don’t have the experience they purport to. By the time the organization realizes the experience gap, they may not have a candidate pipeline anymore, and the recruiting process starts over. In fact, my company has already experienced the use of AI tools in candidate interviews.
- Customer Service And Finance: Most have experienced trying to speak to a customer service representative only to be told they can only speak to the customer, even if they’re on the account or are the customer’s spouse. Individuals are using AI-synthesized voices to bypass gender-based voice verification systems. Voices can be synthesized with just seconds of audio, leading to an increased likelihood of bypassing security measures.
- Insurance: Customers can subtly enhance legitimate insurance claim photos to get a larger payout. As an insurance claimant might think: “I’ve been a good customer for years, and the damage is real — so what if I enhance the photos a bit? I’m not hurting anyone.”
These examples challenge traditional notions of fraud because perpetrators often rationalize their actions as harmless or even justified.
The Human Factor
Traditional cybersecurity focuses on protecting data and systems. Information threats target human judgment and organizational trust.
Misinformation, disinformation and malinformation campaigns are crafted to confirm existing beliefs and expectations, using confirmation bias to lead even cyber-aware professionals astray. In many instances, information threats don’t seem outlandish — they align with normal business operations, expected behavior and even past interactions.
Organizations will need to adapt their security approach to this new reality.
Combatting Modern Information Threats
To combat information threats, organizations should implement a number of strategies:
- Adopting Zero-Trust Principles: Apply cybersecurity’s zero-trust framework to information verification. Nothing should be trusted without validation, whether it’s a candidate’s interview responses or a voice authentication attempt.
- Updating HR Protocols: Develop new verification methods in areas like hiring and employee communications.
- Enhancing Authentication Systems: Multifactor authentication, which combines multiple verification methods, is a must.
- Training For Skepticism: Invest in training your teams on topics like AI literacy, how to identify information threats and how to verify sources. Build organizational awareness about confirmation bias and train employees to approach information with appropriate skepticism.
Organizations need to start having these uncomfortable conversations now: acknowledging how easily these threats can be created, addressing the regulatory gaps and confronting the human tendencies that make us vulnerable.
While cyber threats will always evolve faster than we can combat them, businesses that build a foundation of informed skepticism today will be better positioned to face the information threats of tomorrow.
This blog was originally published on Forbes.com.
You know you need to protect your brand and financial stability by prioritizing cybersecurity. But do you know where to start? Our Cybersecurity team is ready to help you focus on everything from strategy development to penetration testing.