While the user may have clicked on an email attachment or link, in almost every case, technology failed on many levels to first allow the attachment or link to reach a user and then for the ransomware to execute and encrypt the system. User failures in the ransomware kill chain are the one type of failure that should be easiest to mitigate.
I want to be clear that I am not saying that user awareness is unnecessary. Every step of the kill chain presents an opportunity to stop or mitigate an attack. An aware user will not only not click on ransomware, after technology has failed and allowed the ransomware to reach the user, but will also alert the IT and security staff about the technology failing of the ransomware being allowed to reach them. Security awareness programs are typically allocated a comparatively small budget and have a better return on investment. So any money spent on awareness should reduce risk, but cannot be expected to be any more perfect than all of the technology that allowed ransomware to get to the user in the first place.
Again though, when ransomware loads on a system, it is a failure of your entire security program, not just the user action of clicking on the message. While it may be politically advantageous to blame the user for the act of the click, the reality is that the failure is much more in the ability for the message to reach the user, and then for the ransomware to be allowed to load on the system.
Sign up for Computerworld eNewsletters.