Defence Defence Defence!
From the little bits of information we get it would have been trivial to prevent or at least contain that infection to a small part of the company.
Just use the usual best practices for clients. Harden your operating systems, use application servers whenever possible, do not have persistent OS partitions between boots, etc. Notice that secure boot would have not helped in this situation at all.
The sensible thing to do would be to invest in actual security. Let's do code reviews, let's make our software simpler. Let us teach assembler before C in universities so people learn how to avoid buffer overruns.
Unfortunately the industry has little interest in secure systems. They want to continue to sell closed source software, they want to continue to use DRM, which means that they will always want to have ways to distribute binary code software which opens the gates to malware.