It's hard to say no. To friends asking you to help you move with their truck next weekend, to a second helping of Grandma's pumpkin pie, and especially to that pop-up window that asks for your personal data online. We're wired to always respond with "yes."
And the reason for this behavior is fairly straightforward: The carrot is always more apparent (and attractive) than the stick. Whether it's for access to the latest celebrity gossip, updates on local news, or acquiring the latest "toy of the year" for your children, the reward is always front of mind. The potential harm of giving out an email or a phone number doesn't immediately reveal itself.
Casualities of the Culture of Yes
This default "yes" has long been exploited by threat actors. Some attacks cast a wide net to entice everyone, such as the recent GriftHorse malware that infected over 10 million Android phones. Notifications promised special offers in exchange for the user's phone number, which the scammer then used to surreptitiously sign up the user for a $35-per-month service.
Other malicious action might target specific, powerful individuals, an approach often favored by nation-states. In this approach, phishing emails may promise access to resources or webinars in exchange for emails and passwords. This tactic has been used in several recent hacking efforts associated with Russia and Iran.
And while it may seem isolated to the consumer realm, the issue is affecting enterprises as well. A recent survey showed that 59% of workers are using corporate emails for personal use, opening them up to phishing attacks looking for someone to say yes. A full 46% of Gen Z survey participants would open up the link or attachment in a suspected phishing email, potentially providing a banner day for the authors of the malicious email.
Continued Reinforcement of the Yes
Our culture is also reinforcing the culture of yes through new technology and usage patterns. For example, the rise in "touchless experiences" during the pandemic has given new life to QR codes — if you see it, you scan it. QR codes rely upon the default yes that we've all grown accustomed to. These visual bookmarks, while useful, subject people to the same risks as the GriftHorse campaign: The browser is sent to an unknown, potentially malicious site.
While consumers are learning to be wary of unknown sites and applications, QR codes without guardrails open them back up to potentially dangerous locations and code that seeks to do them harm or can secretly log their location by essentially "checking them in" at a particular place and time via device fingerprinting.
This culture of yes, then, presents real dangers to both our privacy and security. But the answer to this moment — this world in which the default response is yes — is not to become completely cynical about the world and everyone in it. We must resist the temptation to flip to the other extreme, a default "no." Instead, it's more of a reset in our thinking — an attempt to find balance between extremes as we interact in the digital world.
How to Find Balance (and Security) for Your Organization
Shifting from a culture of yes to a more thoughtful, balanced perspective requires three things: technology, training, and commitment.
First, technology must be used to inform and modify behavior; thoughtful choices then become easier for people than just saying "yes." To combat phishing, for example, clear identification of external emails can help users identify suspicious content. Along with clear identification of risk, phish reporting buttons should be prominent in the interface so that it's obvious what to do with suspect email. Doing the legwork for the user funnels them into making good choices. These measures can be enhanced with technology that should be table stakes for organizations already: browser isolation, endpoint detection and response, and the like.
Second, once the technology is in place, we must train our people how to use them effectively. Part of this is informative videos or seminars, but also having a feedback loop such as a Slack channel for informal advice is helpful — this builds the community awareness and builds rapport between the security team and the rest of the organization. Conducting regular phishing tests will also reinforce good habits and provide qualitative analysis for how culture change is progressing.
Finally, stay committed to your progress. If tactics are switched up too frequently, or if the culture change is not supported fully by leadership, any shift in thinking will likely cause users to revert back to the previous pattern of always saying yes to everything.
Rather than extremes, a thoughtful balance is essential if we are to ensure that our culture is served by our technology. The alternative is to sacrifice our privacy and security in our race to always say "yes."