One very simple approach that many individuals and firms use to absolutely prevent this sort of thing which requires only minimal understanding of threats (ie: the level you have already shown) is to never connect their work computer to the internet.
Instead they have a second computer which they use for internet purposes. This computer can be much less expensive and less capable, but perfect for its purpose.
It serves as a “sacrificial” buffer between the internet and the main work computer. It’s the one that is frequently backed up with a system that can recover everything to a computer with a reformatted disk if neccesary.
Any new downloads from the net that need to go on the work computer go first to the network computer where they can be distinguished from the potentially damaging junk before being transferred. The transfer can be via “sneakernet” (walking a USB stick with the needed files to the work computer) or over a local area net connection. The network computer is the one where the user is vigilant about using a recent OS version and keeping its updates current. In my opinion Apple and Microsoft provide sufficiently capable built-in security software that there is no need to use third party security software but MacOS and Win 10 both support third party security if preferred.
A word about a local area net to connect the two computers: this takes a little better technical understanding of routers than the usual out of the box install and forget approach. The main point is that computers that are to be kept off the net must be configured in the router without internet access. This means that the local net will allow them access to other computers, printers, etc. on the LAN but not the internet. It also means that if you want to allow web access for brief intervals for software updates or other reasons it is only necessary to to sign on to the router as administrator and turn off the “parental control” (or whatever your router calls the feature). That way you are in complete control of the risk involved according to your judgment. Don’t forget to turn it back on when you’re done!
McNeel provides a fairly easy to use method for “offline” software updates where the update download is done on the network computer and then transferred to the work computer for the actual update. If you deem the risk acceptable you can also just put your offline computer on the net briefly with Rhino running and let it run its automatic update. This approach is, in a practical sense, almost required to get OS updates since Microsoft and Apple have designed their update strategy to force you onto the net. The OS’s will work fine without updates however.
This is an approach to security that doesn’t require you to hire an IT consultant ($$$) or become one yourself (with the heavy time investment that it requires to stay current) yet provides a very high level of security for your work computer.
So this is one approach. I hope it helps.