The Virus That Cost One Hospital Chain $67 Million

In 2017, the NotPetya attack crippled organizations worldwide. Heritage Valley Health System in Pennsylvania lost access to its entire network. Surgeries were delayed. Patient records vanished. The total global damage from NotPetya exceeded $10 billion, according to the White House. And the infection vector? An automatic software update from a compromised Ukrainian accounting program that nobody thought twice about.

That's the reality of computer virus prevention in 2022. It's not just about avoiding sketchy downloads. It's about building layered defenses against threat actors who exploit trust, automation, and human error at industrial scale.

I've spent years watching organizations — from five-person startups to Fortune 500 companies — get hit by malware that basic hygiene would have stopped. This post gives you the nine specific steps that actually prevent computer viruses, based on what I've seen work in the real world. No theory. No fluff. Just the practical moves that keep machines clean.

What Exactly Is a Computer Virus in 2022?

A computer virus is a type of malware that attaches itself to a legitimate program or file, then replicates when that file is executed. It's different from a worm (which self-propagates across networks) or a trojan (which disguises itself as something useful). But in practice, modern malware often blurs these lines.

Today's viruses are rarely standalone. They arrive bundled with ransomware payloads, credential theft tools, and backdoor installers. The 2022 Verizon Data Breach Investigations Report found that 40% of breaches involved malware of some kind, with ransomware alone increasing by 13% year over year — a jump equal to the last five years combined. You can read the full 2022 Verizon DBIR here.

So when we talk about how to prevent a computer virus, we're really talking about preventing the entire chain of compromise that modern malware enables.

Step 1: Patch Everything, Patch Fast

I can't overstate this one. Unpatched software is the open front door that threat actors walk through every single day. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities Catalog that tracks actively exploited flaws. As of mid-2022, that catalog has hundreds of entries — and most of them have patches available that organizations simply haven't applied.

Turn on automatic updates for your operating system, your browser, and your productivity software. If you manage an enterprise environment, implement a patch management policy that prioritizes critical and high-severity CVEs within 72 hours. No exceptions.

Don't Forget Firmware and Drivers

Most people patch their OS and call it a day. But firmware vulnerabilities in routers, printers, and IoT devices provide persistence mechanisms that survive even a full OS reinstall. Check your device manufacturers' sites quarterly.

Step 2: Use Endpoint Protection — But Don't Rely on It Alone

Modern endpoint detection and response (EDR) tools go far beyond signature-based antivirus. They use behavioral analysis, machine learning, and cloud-based threat intelligence to catch malware that traditional AV misses. If you're still running a basic antivirus product from 2015, you're essentially using a screen door on a submarine.

But here's what I tell every client: endpoint protection is your seatbelt, not your driver. It catches known threats and many unknown ones, but it will never achieve 100% detection. You need every other layer in this list working alongside it.

Step 3: Train Your People to Spot Social Engineering

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2022 Cost of a Data Breach Report pegged the global average breach cost at $4.35 million. Breaches that started with phishing — which is the most common delivery mechanism for viruses and ransomware — cost even more. And phishing works because it targets people, not systems.

I've run phishing simulations for organizations where 30% of employees clicked a malicious link on the first test. After consistent security awareness training, that number drops to single digits within six months. The training works when it's ongoing, realistic, and tied to actual threat scenarios your people face.

If you're building a training program from scratch, our cybersecurity awareness training course covers the fundamentals your entire workforce needs. For organizations that want targeted anti-phishing exercises, our phishing awareness training for organizations walks teams through real-world social engineering tactics and how to neutralize them.

Your people are either your strongest defense layer or your weakest. Training determines which.

Step 4: Enable Multi-Factor Authentication Everywhere

Credential theft is how attackers move from "I compromised one machine" to "I own the entire network." Keylogger viruses, info-stealers like RedLine, and browser-stored password dumpers are everywhere in 2022. Multi-factor authentication (MFA) makes stolen credentials dramatically less useful.

Enable MFA on every account that supports it: email, VPN, cloud services, banking, admin consoles. Prefer authenticator apps or hardware keys over SMS-based codes. SIM-swapping attacks have made SMS MFA the weakest option available.

Step 5: Lock Down Email — It's Still the #1 Infection Vector

The 2022 Verizon DBIR confirms what I've seen for a decade: email remains the primary delivery channel for malware. Malicious attachments, weaponized links, and HTML smuggling techniques all arrive through your inbox.

Practical Email Hardening Steps

  • Block executable attachments (.exe, .scr, .js, .bat, .vbs) at the mail gateway. Your users almost never need to receive these.
  • Enable link scanning that detonates URLs in a sandbox before delivery.
  • Implement DMARC, DKIM, and SPF to reduce spoofed emails reaching inboxes.
  • Quarantine password-protected ZIP files — attackers use them to bypass scanning.
  • Warn on external senders with a visible banner so users know when an email originates outside your organization.

These aren't exotic controls. They're available in every major email platform. I'm consistently surprised by how many organizations haven't turned them on.

Step 6: Apply the Principle of Least Privilege

When a virus executes on a machine, it runs with whatever permissions the logged-in user has. If that user is a local administrator — which is still shockingly common — the virus can install rootkits, disable security tools, and spread laterally without restriction.

Remove local admin rights from standard user accounts. Use a privileged access management (PAM) solution for IT staff who need elevated permissions. This single change prevents a massive percentage of malware from achieving full compromise. It aligns directly with zero trust principles: never trust, always verify, and grant the minimum access needed.

Step 7: Segment Your Network

Flat networks are a gift to malware. Once a virus lands on one machine in a flat network, every other machine is reachable. Network segmentation — using VLANs, firewalls, and access control lists — limits how far an infection can spread.

Where to Start With Segmentation

At minimum, separate these zones: user workstations, servers, IoT/OT devices, guest Wi-Fi, and management interfaces. The Colonial Pipeline ransomware attack in May 2021 demonstrated what happens when IT and OT networks lack proper segmentation — the company shut down fuel delivery to the entire U.S. East Coast as a precaution because they couldn't confirm the malware hadn't spread to operational systems.

Step 8: Back Up Like Your Business Depends on It (Because It Does)

Backups don't prevent computer viruses. But they prevent viruses from destroying your business. Ransomware is a virus delivery payload, and your recovery plan is what determines whether you pay a ransom or restore from backup and move on.

  • Follow the 3-2-1 rule: three copies of your data, on two different media types, with one stored offsite or offline.
  • Test your restores quarterly. A backup you haven't tested is a backup you can't trust.
  • Keep offline backups. Sophisticated ransomware like Conti specifically targets backup servers and connected backup drives. If your backups are always online and reachable, they'll be encrypted right alongside your production data.

Step 9: Disable Macros and Script Execution by Default

Microsoft Office macros have been weaponized by threat actors for over two decades. Emotet, Trickbot, QakBot — some of the most prolific malware families in history — all relied heavily on malicious macros embedded in Word and Excel documents.

In February 2022, Microsoft announced it would begin blocking VBA macros by default in files downloaded from the internet. This is a massive step forward. But if your organization hasn't enforced this policy yet, do it now through Group Policy. Disable macros for all users who don't explicitly need them. For the handful who do, require digitally signed macros only.

Similarly, restrict PowerShell execution policies and disable Windows Script Host on endpoints that don't need it. These are the tools attackers use to execute payloads after initial infection.

How Do I Prevent a Computer Virus? The Quick-Reference Answer

To prevent a computer virus: keep all software patched, use modern endpoint protection, train employees to recognize phishing and social engineering, enable multi-factor authentication, harden email security, remove unnecessary admin privileges, segment your network, maintain offline backups, and disable macros and unnecessary scripting. No single step is sufficient — layered defense is the only approach that works consistently against modern threats.

The Layer That Ties Everything Together

Every step above is a technical or procedural control. But the connective tissue is awareness. The NIST Cybersecurity Framework — available at nist.gov — emphasizes that human behavior is both the greatest vulnerability and the greatest opportunity for risk reduction.

I've watched organizations deploy six-figure security stacks and still get breached because an employee opened a malicious attachment. I've also seen lean teams with modest budgets stay clean for years because every person in the building knew what a suspicious email looked like and what to do about it.

Computer virus prevention isn't a product you buy. It's a discipline you build. Start with the steps above. Get your people trained through a structured security awareness training program. Run regular phishing simulations that keep social engineering top of mind. Then audit, iterate, and improve.

The threat actors aren't slowing down. Neither should your defenses.