It’s Not a Data Breach. But It Might Be Worse.

Among the many sessions at The-C2 this year, one particular breakout took a surprising turn. What started as a conversation about digital identity and reputation gradually morphed into something far more pressing: the growing challenge of disinformation, and how it’s becoming a serious business risk for organisations outside of politics or media.

It was clear from the tone in the room that this wasn’t a theoretical threat or a talking point about democracy. This was practical. Tactical. Board-level stuff. And the consensus? Disinformation campaigns are no longer just a problem for elections – they’re fast becoming a frontline risk for business.

Falsehood at Scale: The Business Model of Disinformation

A few of the delegates shared recent experiences of being targeted by disinformation campaigns. These weren’t random trolls or irate customers. They were coordinated attacks -deliberate, strategic, and executed with the kind of precision you’d normally expect from a PR agency.

One CISO from the financial services sector described how a false rumour about a system breach started circulating on social media, complete with fabricated screenshots and fake domain lookalikes. No breach had occurred, but the damage was real: media queries flooded in, stock price dipped, and their security team had to burn an entire weekend trying to trace the origin and contain the fallout.

“We spent 72 hours managing an incident that didn’t exist,” he said. “But in the eyes of the public, the narrative had already taken hold.”

And that’s the sting. You don’t need access to a company’s systems to cause reputational and operational chaos anymore. You just need a credible-looking rumour and the right networks to amplify it.

The Social Media Supply Chain

What became clear in that breakout session was how ill-equipped most organisations are to defend themselves against this kind of attack. There’s no CVE number for disinformation. No SIEM alert. No firewall to stop a fake news post going viral at 3am on a Sunday.

Several leaders admitted that while their teams are well drilled for technical breaches, there’s far less rigour when it comes to responding to reputational threats born on social media. And yet, the consequences – from share price hits to boardroom panic – can be just as severe.

One COO from a tech firm described their internal review process: “We realised we had 20 pages of incident response for ransomware. But nothing at all for hostile narratives spreading on TikTok or LinkedIn.”

This is the modern equivalent of leaving the back door open. Not a failure of technology, but a gap in mindset.

Who’s Behind It? And Why It’s Getting Worse

Delegates agreed that while some disinformation campaigns are ideologically driven, many are purely commercial. Disinformation has become a service. Bad actors are hired to target competitors, discredit whistleblowers, or derail M&A activity.

As one participant said bluntly, “It’s not always a state actor. Sometimes it’s just someone trying to win a bid.”

These operations are getting smarter, faster, and harder to trace. Generative AI has made it trivial to produce convincing content at scale – fake blog posts, fake screenshots, even deepfake videos. All of which gives disinformation campaigns a new kind of potency and believability.

And the real kicker? Most companies don’t know it’s happening until it’s already picked up traction.

So What Can We Actually Do About It?

The C2 breakout surfaced several practical ideas,  none perfect, but all rooted in real experience:

• Incident Response Needs to Broaden: If your playbooks only cover technical breaches, they’re not enough. You need protocols for rapid response to reputational attacks, including legal, PR, HR and executive comms.
• Digital Monitoring Has to Include Narrative Tracking: It’s not just about looking for malicious traffic. It’s about watching for false narratives as they form. Several attendees mentioned investing in tools that track brand mentions, sentiment shifts, and unusual content amplification across obscure platforms.
• Board Awareness Is Key: Just like phishing and ransomware became board-level concerns, so too must disinformation. Leadership needs to understand how narrative manipulation can impact customer trust, investor confidence and regulatory relationships.
• Cross-Functional Teams Are Essential: Legal, communications, security, and business continuity teams need to be in the room together. This isn’t just a cyber issue. It’s an organisational one.

The Slow Burn of Credibility Erosion

There was a moment of reflection during the session when someone remarked that the true danger of disinformation isn’t always immediate. It’s slow. It chips away at trust, week by week. It clouds facts. It blurs the line between what’s real and what’s rumour. And over time, it can erode a brand’s most valuable currency: credibility.

That’s why this matters now. In a world where a false post can reach millions before your comms team even wakes up, every business is at risk – whether you think you’re a target or not.

Final Thought

The biggest risks today don’t always come through a network port. Sometimes they come through stories, false ones, weaponised and distributed with intent.

If your organisation isn’t prepared to respond quickly and decisively, you might find yourself fighting a fire no one started, but everyone believes is real.

It wasn’t the headline theme of The-C2, but the discussion left a lasting impression. Disinformation isn’t just a societal issue. It’s a business risk. And we need to start treating it like one.