Changing the Narrative Around Attack Victim Shaming

istock 1210239425

Victim shaming is never OK. Unfortunately, in some organizations, employees who fall victim to a social engineering ploy that leads to a ransomware attack are blamed for their actions.

“Shaming and blaming somebody for being attacked doesn’t teach anybody and it's certainly not going to make that organization better apt to take care of themselves in the future,” said Mat Gangwer, Senior Director of Managed Threat Response at Sophos.

Social engineering attacks, like phishing emails, are common conduits of ransomware, and have become more sophisticated. So sophisticated that it’s easy for even some of the most seasoned veterans to get fooled.

“The phishing campaigns are getting much more complicated to identify,” said Gangwer. “The tactics used play on various attributes and are very effective. Honestly, getting tripped up by one can happen to anybody.”

Organizations that deploy certain types of awareness training where employees are fooled by a corporate-issued fake phishing emails, and then shamed or made to feel foolish in follow up, are handling security training ineffectively, said Gangwer. That’s because end users who are shamed are much less likely to speak up in the event of an actual security incident.

“It’s important to train users to spot trouble, to be at a point where they might click a link and say ‘Oh, I probably shouldn't have done that. I need to now go tell somebody about it.’ It’s important to reward that kind of attitude. You don’t want users to feel like they can’t talk about it at all, because then that leads to the potential for the attack to progress further.”

There are many kinds of security awareness training programs out there, and most can be effective as long as they are delivered in a positive and educational way. No shaming on the back end if an employee makes a mistake or falls for one of the training phishing emails.  Gangwer suggests security teams consider a rewards-based system and recognize people or groups that are bringing insecure behaviors to management attention. 

“You want to create a culture where employees are not afraid to speak up.”

Find out how Sophos can help your employees learn how to spot phishing emails and social engineering attacks by visiting


Copyright © 2021 IDG Communications, Inc.