That was one of the strategies that our annual cybersecurity training covers too.
BTW, my work got hit HARD 3 years ago with ransomware. They were honestly pretty loosey-goosey about a lot of security prior to that, and frankly were after as well.
The guy who was then director of IT when the attack happened(he caught it at 10:00 at night from home, and came to campus and started literally pulling plugs on stuff when he recognized what was going on-he probably saved the college millions of dollars and months of recovery by doing that) IS very security conscious, but didn't have a lot of sway to make changes then. He's since been promoted twice, now to a VP role, and he's made some big changes including regular password resets(there hadn't been a mandatory one in years prior to the attack), 2FA for everyone, and requiring annual cybersecurity training. He's also put official, proper mechanisms in place for reporting suspicious emails. I know none of this is earth-shattering-we were doing it at another school where I worked 5 years ago-but it's at least putting current common practice into place. BTW, I'm 5 for 5 this year on IDing their test emails, and have caught a handful of other spam or phishing attempts that were not tests.