But one of the most essential elements of your defensive arsenal is a thorough security and usage policy. An effective policy requires the same sorts of regular attention and periodic updating as the rest of your security array.
While requiring nowhere near as frequent attention as virus definitions and patches, your company's policy should receive regular reviews. A quarterly look should be sufficient; with interim updates if circumstances or configurations change.
Even a minimal policy should deal with:
Acceptable and unacceptable use of company equipment and connections and Web access
Special attention and, if needed, special rules for phones and other mobile devices
Company e-mail account usage policy
Social network behavior and restrictions
Strong password creation and frequency of password-changes
Personal devices and software used for company business, or for personal purposes over company connections
Data access and particularly data-copying rules and restrictions
Penalties for violations should also be spelled out clearly.
The particulars of each category will depend upon you, the nature of your business and the business purposes to which your employees put your equipment.
But by establishing good, general security and usage policies, putting them in writing and requiring your employees to sign them, you're well-prepared to refine and focus the policies as needed, each time you review them.
Each of those review, I believe, should include review by all of your employees, with a dated signature if practical.
If it's not practical to get a new signature each quarter, give some thought to making employee policy review and re-signature an annual item. You could, in fact, make it part of the policy!