This merely emphasizes the point that
end-user computers must also be secured. Above all else, this means ...
"Windows users shall not run as Administrators!" And, it means that constantly active network-driven backups must be taken.
Pragmatically speaking, you can never completely prevent "rogue software" from being introduced into an end-user machine and running there. But you
can prevent that software from successfully doing damage, either to itself or to others.
(Yes, Virginia,
even Win-doze can be made to be quite secure! Too bad that, in literally millions of installed systems, its rather baroque security features are inexplicably .. deliberately .. switched
off!)