1. Never use any illegal software
If you could not afford original software, just use their open source alternatives. For example, you could use Linux instead of Windows, or use LibreOffice instead of Microsoft Office. If you happened to really really need those software, just remember that many of them would came in trial version also. For example, Windows 10 Professional has its trial version for 90 days period. That means you could use it for 3 months for free while saving your money until you could buy the original version.
Never use crack, keygen, or any questionable software. You never know what kind of code in there that could do harmful action in your PC or network.
2. No Administrator or root access for your clients
Windows and Linux come with general user account profile in which they could use the software without the ability (or risk) to install another kind of (harmful) software. If you responsible to install a new PC for employee around your organization, you could found that this method could save your time when dealing with some kind of software related problems. In general, user only accounts (without root nor administrator access), could use the software (predefined one) without the ability to change any settings. They could also cannot install new software without your permission. No new installation means that any virus or malware have more limited environment to start with.
3. Keep your software updated (but not immediately)
My general rule is, install new updates after waiting for at least 1 week after they released. So when you saw any updates notification pop up on your desktop, you should wait first, find what kind of updates they are updating to. It means, you should check any change logs and look other user experience after they installed the updates. After that, try to apply the update in one PC first. If everything seems alright, you’re good to go.
4. Anti virus, Anti Spam (and perhaps), Anti Malware
This should minimize your chance for being infected. Remember, only minimize, not 100% fool proof. Just remember the principles, Anti virus is made after the virus has been created. So it would not help you for any kind of 0 day exploit. Keep your AV updated also.
5. VPN Only Access
You have mail server that should only be accessed by the employee? Then it would be great if you limit the access. User should use VPN before they could access the webmail (for example). I’ve found many many brute force attemps on my mail server. This method while might be cumbersome for some people, should minimize the risk for that kind of problems.
6. Password is p4$$w0Rd
Use general rules for setting up password. They should consist of mixed letters, numbers, and signs with a minimum of 8 characters and should be changed periodically. If your application support 2FA (two factors authorization), then it would be good to enable them also.
7. Hotspot Warning
You’ve setup access point in your office? Yup, that’s great. But remember to make them isolated from your office wired network. Hotspot user and wired ones should not be able to communicate each other. If your hotspot user need to access resources from wired network, use step number 5.
Even the free one (like let’s encrypt) should give adequate protection for any man in the middle attack. If it’s possible to install the SSL, just use it.