​In November 2016, a man armed himself with an assault rifle and drove six hours from North Carolina to Washington, D.C. His goal was to storm Comet Ping Pong, a D.C. pizza restaurant, and rescue children being held captive and abused by Hillary Clinton. Once inside, the man fired on the restaurant, but no one was hurt. 

The Comet Ping Pong story was one of many deliberately false news stories circulating in 2016. After the story was exposed as a hoax, “a post on Twitter by Representative Steven Smith of the 15th District of Georgia—not a real lawmaker and not a real district—warned that what was fake was the information being peddled by the mainstream media. It was retweeted dozens of times,” according to The New York Times.

The concept of fake news entered the popular vocabulary during the U.S. presidential election in 2016. While intentionally spreading false news reports for financial, political, or psychological reasons is not a new phenomenon, the practice has expanded significantly in the last year. During the particularly divisive U.S. election, numerous hyper-partisan blogs and websites posted a wide range of rumors, conspiracy theories, and fabrications, which have collectively been labeled fake news. Far from its original meaning—articles that are blatantly untrue—the term fake news has been embraced by all sides of the political divide to denigrate reporting that they feel is biased or incomplete.

While primarily political in nature, fake news has been used against various organizations and poses a real and increasing threat to private sector organizations of all sizes. It is important for security professionals to explore the relationship between fake news and corporate security, and determine how they can begin to address the threats posed by the release of false news and information.

Transmission

There has been an explosion in the creation and distribution of fake news through various online channels, including blogs, websites, discussion forums, and especially social media platforms. According to a 2017 survey, A Real Plague: Fake News, conducted by Weber Shandwick, Powell Tate, and KRC Research, approximately 7 in 10 American adults reported having read a fake news story in 2016. Research conducted by Hunt Allcott and Matthew Gentzkow and published in the spring 2017 edition of The Journal of Economic Perspectives also found that a database of 38 million shares of fake news stories on social media translated to about 760 million instances of clicking on, and reading, fake news stories. 

The subject matter of these stories has run the gamut from political conspiracies to alleged criminal conduct by high-profile individuals to allegations of corporate political bias. A unique aspect of the current situation is that these stories are shared more widely, and more quickly, than ever before due to the ubiquity of social media. According to Allcott and Gentzkow, the list of fake news websites compiled by Stanford University received 159 million visits during the month of the election, while some 41.8 percent of individuals reported that they were exposed to fake news via social media.

Another important aspect of the current situation is that many of these fake news stories have gained a level of credibility among segments of the population that is surprising considering the sometimes bizarre nature of the claims made. In a study by Ipsos Public Affairs for BuzzFeed, 75 percent of respondents who reported remembering a fake news headline believed it to be accurate. In the study by KRC Research, 74 percent of individuals surveyed reported that it is difficult to determine what news is real and what is not.

The increased acceptance of baseless rumors and extreme conspiracy theories is due in no small part to a widespread decline in trust in media, government, academia, and most other forms of traditional authority. The falling levels of trust in media have been well documented by Gallup, Pew Research, and the Edelman Trust Barometer. This collapse of trust has led to the increased importance of the “people like me” category as a trusted source of news and information. according to Edelman’s 2017 global report. Because of these developments, sources such as Reddit, personal blogs, Facebook accounts, and quasi-official websites have gained credibility, while trust in traditional news media and government sources has declined. The fact that these fake news stories are rebroadcast many times, through cross-links and reposts on social media, further adds to the illusion of credibility. 

If fake news were limited to stories about Area 51 or the JFK assassination, it would represent an interesting sociological case, but with limited relevance to corporate security. However, both the subject matter and the intensity of emotion elicited make fake news a real threat to corporations in terms of potential financial losses, reputational damage, and the physical security of facilities and personnel. This enhanced threat environment will require adaptation by corporate security professionals and the incorporation of new defensive and offensive capabilities to existing corporate security plans.

The increasingly widespread use of false or misleading information to cause confusion or harm to an individual or organization is not likely to disappear in the near term. The efficiency of this technique has been clearly demonstrated and the tools facilitating it are becoming ever more powerful, accessible, and easy to use. It is also difficult to imagine a significant increase in trust in traditional authority figures in the near future. 

For corporations, some of the most serious fake news risks relate to stock manipulation, reputational damage, and the related loss of business—through boycotts for example—and direct threats to staff and property.

Stock Manipulation

At the macro level, fake news has been used to move entire stock exchanges. This was the case in April 2013 when a tweet that appeared to come from the Associated Press (AP) Twitter account reported that there had been an explosion at the White House and that U.S. President Barack Obama was injured. The Dow Jones Index lost 145 points in two minutes, while the S&P lost $136.5 billion. The news was quickly disproved and the market corrected within minutes, but the potential for large-scale disruption was demonstrated. In this instance, the fake news attack was claimed by the Syrian Electronic Army, according to The Washington Post.

In October 2009, the Stock Exchange of Thailand (SET) fell 7.2 percent because of an online rumor related to the health of the Thai king. The market made up about half of the loss within the next trading day, and the Thai police made several arrests related to the case later that month, as reported by Reuters.

Fake news has been used to manipulate the shares of individual companies as well. In May 2015, a fake offer to purchase Avon Products led to a surge in trading and a significant increase in the share price, according to The New York Times. Then in November 2016, a fake offer to acquire Fitbit shares led to a spike in activity, and a temporary halt to the trade in Fitbit stocks as reported by The Financial Times. In 2013, a fake press release was posted claiming the Swedish company Fingerprint Cards AB would be acquired by Samsung. Company shares surged until trading was halted. 

In the United States, the Securities and Exchange Commission (SEC) has taken an increasingly aggressive stance in combating this threat to market integrity. It has filed enforcement actions against 27 companies and individuals involved in “alleged stock promotion schemes that left investors with the impression they were reading independent, unbiased analyses on investing websites while writers were being secretly compensated for touting company stocks,” according to an SEC statement.​

Reputation

False stories, rumors, or statements taken out of context have led to both reputational harm, as well as to threats to corporate personnel and property. In this type of threat, a corporate statement or action that would be innocuous under normal circumstances has taken on an increased risk due to hyper-sensitive stakeholders.

A case in point was New Balance, when Matthew LeBretton, vice president for public affairs said, “The Obama administration turned a deaf ear to us and frankly, with President-elect Trump, we feel things are going to move in the right direction,” during an interview with The Wall Street Journal. The statement related specifically to President Trump’s plan to withdraw from the TransPacific Partnership (TPP), but was widely misinterpreted. This caused a twofold issue for New Balance. First, anti-Trump individuals saw the statement as an endorsement of the candidate and everything he was purported to believe. This in turn led to calls for a boycott, and many social media posts depicting the destruction of New Balance products as reported by CNBC. A few days later the same statement led Andrew Anglin, a blogger associated with the white supremacist movement, to write on his popular Daily Stormer blog that New Balance shoes were the “Official Shoes of White People.” New Balance was blindsided by the intensity of reactions to a single statement related to a proposed international trade agreement and was forced into reactive positions throughout the crisis.

Another executive statement that was taken out of context and twisted to fit a partisan narrative was made by Indra Nooyi, CEO of PepsiCo in her interview with Andrew Sorkin of The New York Times on November 9, 2016. Her statement included congratulations to President-elect Trump on his victory, while also indicating that some of her employees expressed concerns about their safety as a result of the election. Numerous fake media outlets exaggerated the statement by claiming that she and her employees were “terrified” of Donald Trump and his supporters. This led to a firestorm of social media protests against Pepsi, including calls for a boycott and threats against the company.

Direct Threats

As noted above, one of the most serious cases of threats to an organization based on fake news were the reports of child abuse allegedly masterminded by Hillary Clinton and carried out at a D.C. pizza parlor. While the story was repeatedly debunked, it nevertheless continued to circulate and was supported by Michael Flynn, Jr., son of then National Security Director General Michael Flynn, according to The Washington Post. The shooter was arrested immediately after leaving the pizzeria, where he found no evidence of any abuse. He later pled guilty to the interstate transportation of ammunition and a firearm, a federal charge, in addition to a D.C. charge of assault with a dangerous weapon, according to The Hill.

This case indicates that even the most ridiculous story, if repeated often enough, will find an audience that believes it, and possibly someone who is willing to take action based on its claims. It is possible that a less extreme story focusing on a corporate executive or brand would lead to similar examples of direct action.​

Countermeasures

Countering fake news is difficult when the target audience finds it easy to discount facts and the usual sources of information are distrusted. However, there are a number of actions that corporate security teams can take to mitigate the risks posed by this new threat.

Risk assessment. As with any threat to corporate security, the place to start is with a detailed risk assessment. The corporate security team needs to look at both internal and external factors to determine both the level of risk, as well as the most likely points of attack. Internal factors include employee demographics, employee morale, and computer use policies. The external factors include the competitive environment, the current perception of the organization and its management, the level of openness and transparency, and the nature of current conversations about the organization. With this information, corporate security will be in a much stronger position to establish policies and procedures to mitigate the risks from fake news attacks.

A white paper by Accenture focusing on social media compliance and risk in the international financial industry highlights the importance of identifying areas where an institution has vulnerabilities and incorporating the findings into its risk mitigation plans. A survey of executives cited in the white paper, A Comprehensive Approach to Managing Social Media Risk and Compliance, found that 59 percent of respondents reported having no social media risk assessments in place, while only 36 percent reported being offered any training on social media risk mitigation.

Monitoring. To have any hope of effectively countering fake news, the corporate security team needs to have as close to real-time visibility of its appearance as possible. This points to the requirement for a comprehensive monitoring program that builds on any existing media or social media monitoring capability the organization already possesses.

It is important that this monitoring program specifically focus on channels that are outside the organization’s norm. These channels may be antithetical to the values of the organization, targeted to a demographic that is generally not associated with the company, or linked to apparently phony information sources. It is also important to look specifically for negative references to the organization.

After experiencing a number of negative stories driven by news and social media, Dell Computer adopted an “everyone is listening” approach to social media monitoring. A Framework for Social Analytics by Susan Etlinger of the Altimeter Group discusses Dell’s hybrid model for media monitoring, which gives a large number of its 100,000 plus workforce some responsibility for monitoring social media channels related to their lines of business. The company also has a Social Media Listening Command Center, which employs sophisticated social media monitoring software to complement its traditional media monitoring program.  

A company’s monitoring system should also include an analysis component that helps vet the material, determining how it should be classified and its importance from a risk management perspective. This component would then ensure that any important material is routed to the key decision makers for immediate action.

Finance, investment, and hedge fund companies have been taking a lead in the area of monitoring and identifying fake news stories. The growth of organizations that can deploy multiple content generators focusing on specific companies poses a significant risk to stock market investors. According to reporting in Forbes, companies are also seeking to develop algorithms that can sort through large quantities of content and identify malicious fake news campaigns. One such company that has been widely cited in this regard is Houston-based Indexer LLC.​

Response Plans

Based on the results of the risk audit, the most likely fake news scenarios should be identified and used to create detailed response protocols that can be activated in the event of an actual fake news situation. At a minimum, these plans should include contact information for all crisis team members, checklists for key actions, prepared statement templates to be used with internal and external stakeholders, and escalation metrics in the event that the fake news situation is not immediately contained.

The importance of incorporating the social media environment into a robust crisis response system is shown in the Nuclear Energy Institute’s Implementing and Operating a Joint Information System planning document. The plan covers the importance of preassignment of roles and responsibilities, training and readiness exercises, and media monitoring and engagement. The last item includes specific information on the importance of ensuring that information on social media regarding nuclear facilities and incidents is accurate, and that rumors and falsehoods are flagged and corrected.​

Training

The weaponization of news represents an evolving threat for many organizations and is not often included in corporate crisis management plans or training programs. As examples of fake news incidents increase, corporate security professionals should build this new threat into security training that is offered in conjunction with the corporate communications and human resources functions. Members of the senior leadership team should also be involved in any fake news response training.

Countering fake news requires fast decision making and decisive action on the part of the organization. To be able to execute effectively, the relevant personnel should be exposed to these scenarios in a simulated environment.

The communications function at DePaul University in Chicago, recognized the importance of building a mix of true and false information on social media into its crisis response training program. The result was a multi-party simulation exercise involving real-time interactions with traditional media, Twitter, and Facebook, as well as direct stakeholder communications. One of the key challenges in this type of training is sorting through incoming information quickly while still ensuring that key facts are not overlooked.​

Cross-Functional Teams

By its nature, the threat posed by fake news needs to be met by a comprehensive organizational response. This implies a cross-functional approach to fake news management. While corporate security may take point, the expertise and resources available to the corporate communications, human resources, and legal teams will prove critical.

An executive from an international bank reported to Accenture that it was important for all key functions to participate in risk management planning, especially when it concerns social media. “However, it is always important to have a representative from risk sitting at the table—someone from compliance, someone from legal, and so forth, to provide guidance to the business and make sure what the company is doing is sound,” notes the Accenture white paper.

Because fake news is still a type of news, the communication and media relations skills of the corporate communication function will be needed to analyze the content and develop and distribute counter messages to all fake news reports. This function may also be the appropriate host for the monitoring program because it is a logical extension to standard corporate media monitoring activities.  

Employees are a critical audience for fake news and an important distribution channel for counter messaging. This being the case, the human resources department needs to be involved in the creation and execution of corporate security strategy with regards to fake news.  

To ensure that the organization’s rights are fully protected, and that it does not itself cross the line in terms of libel, the corporate legal team should be involved in the fake news strategy, and have a role in vetting counter messages.​

Communications

Because of the potentially serious morale and operational ramifications fake news can have on an organization, it is vital that employees are provided with clear and accurate facts and count­er messages as quickly as possible.

Beyond reacting to a fake news incident, the organization should seek to inoculate its staff against its effects by undertaking a comprehensive internal communications and employee engagement program. This can be incorporated into the concept of encouraging employees to be brand ambassadors.

Organizations that are most vulnerable to fake news are those about which little is known. Without a base of preexisting knowledge, stakeholders who are exposed to fake news cannot immediately discount it, which is where the seeds of doubt take root. It is thus important that the organization be as transparent as possible, which includes regular proactive external communications. Corporate actions and policies should be communicated, explained, and contextualized to establish the reality of the situation before a fake news story can present a false narrative.  

It is especially important to get in front of any bad news stories and ensure that the organization is seen as working to resolve the issue, rather than hiding it. The idea of a first mover advantage with releasing properly contextualized negative information is a central tenet of contemporary public relations practice, and it can help thwart attempts to create a scandal by fake news outlets. ​

Trust

While a full discussion of trust-based relationships is beyond the scope of this article, it should be noted that the establishment of trust with key stakeholders is one of the best defenses against fake news attacks. Creating trust goes beyond simply telling the truth. It involves a range of factors including organizational reliability, competence, and benevolence, along with honesty and transparency. Because trust building involves all aspects of organizational behavior, it must be seen as a strategic initiative and be driven by senior management. Trust’s relationship to fake news defense is likely to be a collateral benefit rather than a primary driver of the initiative.  

The use of intentionally false or misleading information distributed through online and social media channels to disrupt or harm organizations is likely to increase dramatically in the years ahead. These actions are increasingly easy and cheap to execute, and take advantage of current weaknesses in organizational capabilities and the fact that societal trust in most traditional authority figures is at a historically low level. It is thus imperative that responsible corporate security professionals develop the internal capabilities and protocols to deal with this new threat environment before they are faced with a fake news attack. The good news is that most of the necessary resources already exist to some degree within the organizational structure and only need to be oriented around the fake news threat. This will include proactive measures such as audits, monitoring, training, and proactive communications, as well as moving quickly to react to the emergence of damaging fake news to contain it and neutralize its ability to damage the organization.  

In today’s hyperconnected global information environment no organization is safe from a fake news attack. We have had ample warnings that the threat is real and is likely to get worse.  There is no time to waste in hardening the organization against this new type of assault.  

Jeremy E. Plotnick, Ph.D., is founder of CriCom LLC. He has worked in international communications consulting, public affairs, and public relations for more than 20 years. ​ ​ ​

MOST POPULAR ARTICLES

1. The Balancing Act: How Soft Targets Can Attract Guests While Discouraging Attacks

2. Security Design 101: Best Practices on Complex Design Elements

3. Understanding the EU AI Act: A Security Perspective