Episode 15: 4 ways to fortify your organisation against the dangers of disinformation

Full transcript

Kristin Rivera: Welcome to our podcast series, Emerge stronger through disruption. I'm Kristin Rivera and I lead PwC’s Global Forensics practice and our Global Crisis Centre. After 18 months of working from home, I'm delighted to report that I'm coming to you today from PwC’s beautiful new office in San Francisco, California. 

In each episode of the series, I speak with global colleagues about the challenges facing business leaders as they navigate disruption. And today I'm joined once again by Philip Upton, a PwC partner who is tackling the topic of disinformation. 

If you're just joining us, listen to our most recent podcast, where we discussed the increasing threat of disinformation and how it's impacting corporations.

Philip, thanks for being here today. 

Philip Upton: Thanks for having me, Kristin. 

Kristin: I've been reflecting on our last conversation and the prevalence and rapid acceleration of disinformation today, from celebrities and politics to corporations and other businesses. There's no question that disinformation is a clear and present danger to society — and it's difficult to address.

So what can companies do to combat the risk of disinformation? 

Philip: Well, there are two responses to this type of challenge. There's a broader societal response that will need to come from governments. And corporations can influence these actions, and they should — in particular, regulations in this space. 

The second is some specific actions leaders within any company can take to prepare for and respond to disinformation that may, in fact, impact their organisation.

Kristin: So let's start with the first area you outlined, Philip: society's response. And more importantly, how companies can play a role in shaping solutions. 

When I think about disinformation, I think that one of the areas of highest risk is for companies that are managing platforms. I think about this as platform risk: the risk that bad actors could infiltrate a platform and use that to proliferate disinformation. This was first seen in the financial services sector, as banks recognised that their financial systems could and in fact were being used for illicit purposes. 

Philip: You're exactly right. And the recognition of that risk led to regulations, which put the burden on institutions to address and mitigate the risks.

Kristin: So how did banks influence regulation back then? And what lessons learned might there be for corporations today as they attempt to tackle disinformation through regulatory change? 

Philip: Well, banks have been around for a while. And so has money laundering. In fact, the original efforts were designed to stem the activities of organized crime — and in particular, Al Capone laundering the proceeds of illegal liquor sales and prostitution.

In 1970, the Bank Secrecy Act compelled banks to cooperate with the government to combat money laundering. And there have been multiple legislative refinements since then. 

At all stages, the banks had an opportunity to influence the legislation through the normal legislative process and by working with their regulators to address the final rules by which their compliance is assessed.

Kristin: Well, it's not every day we get to invoke Al Capone on this podcast. It's fascinating that the financial services regulations date back that far. 

So let's contrast this with technology and social media companies, which have made their platforms available to the public with the emergence of the internet as a major force in society. What regulations or regulators play a role here? 

Philip: The Federal Communications Commission, unsurprisingly, is primarily concerned with communication. But due to the laws that created it and grant it authority, it has almost no authority over what is being communicated. In fact, they've said that it's none of their business.

The only exception to this is the much-discussed Section 230 of the Communications Decency Act, which is an amendment to the Communications Act. This section waives liability for companies when illegal content is posted to their platforms, as long as those companies make a good faith effort to remove it in accordance with the law.

However, this part of the law doesn't actually grant the FCC authority over those companies or define “good faith.” And there's an enormous risk of stepping into unconstitutional territory — because a government agency telling a company what content it must keep up or take down runs full speed into the First Amendment.

So this is an area that needs to be part of the public discussion of what rules should be in place in our society. And it's about time these laws were revisited, as Section 230 dates back to 1996. And given the Constitutional implications, I think the platform companies want this. 

Think about what we recently heard during US Congressional hearings when Facebook asked for new regulations to be passed. It's been over 20 years since regulations in this space have been considered. That might as well be a millennium at the speed with which technology and platforms have advanced during that time. 

Kristin: Indeed, platforms are everywhere. It's been reported that 7 out of 10 of the largest companies in the world are platform companies.

And this is, in part, due to necessity. After the financial crisis, companies were forced to disrupt themselves, and the businesses that had developed platforms came into significantly more power. Some of the most common platform companies that we see and interact with daily in our business and personal lives are social media platforms. Also online marketplaces and information platforms. 

Philip: You're absolutely right, Kristin, and the risks go beyond the personal ones, such as you or me making decisions based on fake news or fake reviews. If you are a platform company and allow the propagation of disinformation, it's eroding the trust in your company and your ability to retain your user base.

So corporates really need to talk to the right people and be part of the conversation with governments and regulatory bodies. Disinformation has existed since time began, but these platforms have now become a major force in society. And quite frankly, it's leading to the polarisation of that society and the breakdown of trust.

Kristin: Well, I think it's absolutely clear that disinformation has a significant impact on our society and is leading to the breakdown of trust. So let's take it back, though, to your earlier comments. In addition to influencing regulation, you mentioned that there were certain things companies could do internally to help prevent disinformation.

Philip: So I think of this in terms of four key actions that every company should take. Firstly, assess your risks. Then monitor and leverage social media to get real-time alerts on disinformation campaigns. Fortify your brand against disinformation. And create a recovery plan aligned with instant management and crisis management plans.

Kristin: Well, that's a helpful list, Philip. Let's dig into those a little bit deeper. 

Philip: So firstly, assess your risks. This is something that the chief risk officer, chief information security officer, chief data officer, chief privacy officer should all be thinking about as part of your organisation's regular risk assessments.

With respect to disinformation, identify the disinformation actors, their methods and associated risks representing the greatest threat to your company. Quantify those risks. Are you facing disinformation campaigns focused on financial gain, competition, general disruption, political messaging or something else? And if you take a stance on a controversial issue, be aware of the risks and the rewards associated with taking that position.

Kristin: And what about No. 2, monitoring?

Philip: Monitoring social media is a common practice today. The company should monitor those social channels to get real-time alerts to nascent disinformation campaigns. The chief communications officer, investor relations director, public relations director or social media director should all be thinking about this.

And I would recommend that they develop a deeper understanding of how media manipulation tactics can be used to create distrust, destabilise organizations and inflict harm on people and communities. They should consider engaging a third-party monitoring and sentiment-analysis organisation. Find out — what are people saying about your company, your brand, your employees, and your products and services? What kind of conversation about your organisation is occurring in the marketplace? And what kind of impact is it having? 

You should identify and follow the influencers who are most likely to spread disinformation: Who are they? Who are their backers? Where are they based geographically? You should maintain an information source that influencers and advocates can use to find the real skinny on what's going on in your organisation. And you can build a community of advocates on social media, and establish a positive narrative about your company. 

The third area would be fortifying your brand against disinformation. And this could be something your chief marketing officer, brand lead or a chief communications officer might want to focus on. Strive to hold a continuous, authentic conversation with customers. 

Be ready to take the mic. Connect continuously with your business partners, not just your customers. 

And last, but not least, don't become part of the problem. Beware of becoming an inadvertent or accidental part of a supply chain of misinformation. Establish good governance around the facts and sources that your PR teams use, what they retweet on social media, and what they publish as thought leadership. All these matter because they embody your brand.

Kristin: And your fourth point was to create a recovery plan that's aligned with your existing incident management or crisis program. This is something near and dear to my heart. It's really important that your chief communications officer, as well as your executives who are tasked with leading your crisis response plan, have a playbook — that they test it, and that they be ready to put it into action when disinformation arises. 

Practicing for an attack, just like any other crisis, is critical, through simulations and exercises. We also like to see companies performing stakeholder analysis in order to understand the ecosystems of those that they may need to be in contact with in the event of a disinformation attack.

Having prepared narratives that you might need to use in the event of different types of attacks is a leading practice, and customising these to your particular business and to particular issues is another tip. 

And then last but not least, establishing a system to measure the effectiveness of your response and to identify lessons learned — so that you can be better prepared the next time around.

Philip: I couldn't have said it better myself. 

Kristin: And on this point, as we always say, it's not a matter of if there'll be a crisis, it's a matter of when. And that's no different when it comes to disinformation. So Philip, before we wrap up, what would you recommend companies do if they're in the midst of a disinformation attack?

Philip: Well, I think the key thing to remember about disinformation is that it's in the moment. It's something that has to be responded to immediately. And unlike many other forms of crises, where companies can have the luxury of stepping back and taking a breath and figuring out how to approach that crisis, this has to be dealt with in the moment at internet speed. 

Kristin: Philip, once again, it has been fascinating to speak with you on this topic. I really appreciate you being here with me today. 

Philip: Thank you for having me. 

Kristin: Next month, we'll be joined by our cyber colleagues to discuss the growing threat of ransomware. Don't forget to subscribe to Emerge stronger through disruption wherever you get your podcasts, and connect with Philip and me on LinkedIn. Until next time, thanks for listening.