Re: Wrong
The CEO would not go to jail for a ransom attack hitting the company - only for agreeing to pay a ransom. Nobody said the CEO is going to jail when a ransomware attack is sucessfull unless the CEO was aiding it either on purpose or by being grossly negligent (e.g. not having ensured there are backups or not having any disaster recovery plan).
I am definitely very much opposed to your idea of making inadequate technical skills a crime. As you yourself wrote technical skills of employees must be tested and if they are not up to the minimum skill level for the job after training they can't do that job. If they are still being employed for that job (or no test of skill was done) the problem is not the technically unskilled employee but those that choose them for that particular job. We are back to deciding how for up the company ladder we want consequences to reach, is it the HR bod or the direct supervisor or should the CEO that gets the big bucks for having ultimate responsibility in the company be affected?
If you have a license to drive a forklift and cause an accident you wouldn't go to jail either unless you did it on purpose or were grossly negligent (e.g. drunk) and the damage would probably paid for by some insurance company. If Barbara from accounting doesn't spot a spear fishing mail with an attachment containing a zero day exploit even after having basic email and IT security training that is not (and should not be) a crime either. Firing those that make their first mistake will not result in improved safety or security.
Windows updates can easily be enforced by the admins in a corporate environment and thus is IT's job and not something everyone applying for any job should have to know about how to do that.
Pulling the network plug or even the power supply if you "cock up" is a nice idea and might even mitigate the damage but will usually not happen as infection will most likely not be noticed while working silently in the background. Your advice sounds like your experience with "quite few ransomware cleanups" is running some virus removal tools to get rid of things like the happy99 worm. Unfortunately email attachements are still one of the main sources of infection and even the IT securitry training almost all bigger companies make mandatory doesn't change a thing there.