Local Area Networks connect to the greater Wide Area Network of the internet, using a single point of entry, called a router. The router shares bandwidth resources, and assigns IP addresses to the internal machines.
It is to the advantage of intruders to emplace exploits on the router, or use less permanent means to develop “pivot points,” using computers within the LAN, (that are trusted by their work-mates) to cache data for later theft.
If viruses that execute at boot are the primary problem, one can theorize preparing a specially configured LiveCD version of Unix, as the Operating System of the router. Although bad actors could start viruses and exploits running, the simple expedient of rebooting the LiveCD machine, would waste the manual labor and time of the intruder. Since an optical CD cannot “save” a virus, the reboot starts anew with a pristine OS.
While this does not address the problem of “pivot point” machines, it proliferates profficiency requirements for the hacker. He must learn or know Unix/Linux, for the gateway machine, that performs the routing functions, but he must also know and use the common OS (usually Windows) of all the machines behind the router. If an A.P.T. has to pay for these skills, their costs go up.