Learn from the 2017 Maersk Malware Disaster
USD 300 million estimated cost, and "within 7 minutes most of the damage was done".
Their CISO Andrew Powell presented his thoughts about it here,
An important article for your technical people is here.
Note that an expert who worked on the recovery says that they remain quite vulnerable to similar attacks.
You can have convenience or safety. But not both.
You can have complexity or safety. But not both.
Perhaps consider how closely you want to emulate what happened to Maersk. Because an attack on your systems will inevitably succeed.
We glean a lot of information about Windows-threats from our server logs. Attackers push their stuff at our systems as if they were Windows-based ones. Such attempts always fail and all of their actions get recorded.
If some of the stuff that we see gets a foothold on your Windows-based systems your day will go downhill very rapidly.
Your staff may need to learn new things and move outside their comfort zone. But avoiding that isn't sufficient reason to risk throwing away $millions.
There's lots of recommendations in the technical article linked above.
That malware affects only Microsoft Windows. As does virtually all malware.
Which makes IT diversity a superb defence. Use alternative (non-Microsoft) systems for critical processes wherever feasible.
When one global company was hit by ransomware its ERP system was completely unaffected because it runs on Linux-based servers.
The systems that we provide are Linux-based, and they're at least as capable, and are simpler, and have better defences. More here.
We can support such systems safely remotely. It's something we've been doing routinely for around 20 years. We can even install them safely remotely.