Re: Windoze security as service
Merely switching the OS isn't going to stop ransomware.
Linux may be harder to attack that Windows, but it is not invulnerable.
When setting up a corporate network, you need to build in security from the start.
You need to ask yourself which stations on the network need access to the internet, and why. Any stations that don't need internet access should not have it. By "stations", I mean any device that may be attached to the network, whether it's a computer, printer, a medical device or some sort of manufacturing machine. Things like printers should not be accessible on the Internet.
If something needs remote activation, or updating, you need to see if the manufacturers can offer a local Update or Licencing/Activation server.
You also need a decent security system, including firewall/antivirus/intrusion detection, and to ensure any systems are locked down as tightly as they can be without impacting corporate needs.
The downside for all this is that if you do have a specialist machine connected to the network, and it goes wrong, the manufacturer will need to actually send an engineer to diagnose the problem. They will not be able to do it remotely, unless you give that machine Internet access.
Any new software/hardware that goes on the network should be thoroughly tested before use, and any updates should also be thoroughly tested, but should be deployed when they pass the test. It *is* important to keep software up to date.
Finally, there is the User. Users need to be told how to spot scams, and need to know not to just click random links in emails, or open attachments from those they don't know.
The trouble is, all that costs money to do properly, and if done properly, all it achieves is the system working as it should. That is a difficult sell to the beancounters because they'd point out that the system is just doing what it was bought to do, and they'd question why they need to spend more on it..
There is a lot more I could say about this (people have written books on this stuff), but this post is already too long. The TLDR is that no software/hardware is invulnerable. You need a well designed network, with security built in and good security practices being carried out by staff as well..