Credit: takasuu Victim shaming is never OK. Unfortunately, in some organizations, employees who fall victim to a social engineering ploy that leads to a ransomware attack are blamed for their actions.“Shaming and blaming somebody for being attacked doesn’t teach anybody and it’s certainly not going to make that organization better apt to take care of themselves in the future,” said Mat Gangwer, Senior Director of Managed Threat Response at Sophos.Social engineering attacks, like phishing emails, are common conduits of ransomware, and have become more sophisticated. So sophisticated that it’s easy for even some of the most seasoned veterans to get fooled.“The phishing campaigns are getting much more complicated to identify,” said Gangwer. “The tactics used play on various attributes and are very effective. Honestly, getting tripped up by one can happen to anybody.”Organizations that deploy certain types of awareness training where employees are fooled by a corporate-issued fake phishing emails, and then shamed or made to feel foolish in follow up, are handling security training ineffectively, said Gangwer. That’s because end users who are shamed are much less likely to speak up in the event of an actual security incident.“It’s important to train users to spot trouble, to be at a point where they might click a link and say ‘Oh, I probably shouldn’t have done that. I need to now go tell somebody about it.’ It’s important to reward that kind of attitude. You don’t want users to feel like they can’t talk about it at all, because then that leads to the potential for the attack to progress further.”There are many kinds of security awareness training programs out there, and most can be effective as long as they are delivered in a positive and educational way. No shaming on the back end if an employee makes a mistake or falls for one of the training phishing emails. Gangwer suggests security teams consider a rewards-based system and recognize people or groups that are bringing insecure behaviors to management attention. “You want to create a culture where employees are not afraid to speak up.”Find out how Sophos can help your employees learn how to spot phishing emails and social engineering attacks by visiting . Related content brandpost Sponsored by Sophos 5 Cyber Criminal Ransomware Mistakes to Make You Smile By Joan Goodchild Jan 26, 2022 3 mins Ransomware brandpost Sponsored by Sophos You’ve Been Hit by Ransomware. Now What? By Joan Goodchild Jan 24, 2022 4 mins Ransomware brandpost Sponsored by Sophos 3 Measures to Stifle the Ransomware Crisis By Joan Goodchild Jan 20, 2022 3 mins Ransomware brandpost Sponsored by Sophos Raccoon Stealer Campaign Highlights Robust Industrialized Criminal Market By Joan Goodchild Dec 16, 2021 3 mins Malware PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe