Patch the operating system on all PCs and Servers. Windows security updates should be applied and Windows Update should be set to download and install automatically. [Preventative]
Update Microsoft Office with all available updates. Set Windows Update to also update any other Microsoft products. [Preventative]
Update all web browsers. Preferred browser would be 64 bit Google Chrome Enterprise as it is fairly secure by default and includes its own sand-boxed Flash player and PDF viewer. [Preventative]
Update Adobe Flash to most current version or remove if using Chrome as advised above. Update Adobe Reader to most current version or remove if using Google Chrome. [Preventative]
Remove Java. If you must run Java, update to most current version but seriously consider removing Java. [Preventative]
Raise the level of User Access Control (UAC) to the highest level – requiring Admin account to install or modify the system. [Preventative]
Users must not be Local Admin on their PC. [Preventative]
Enable Windows firewall on all PCs and servers. Only enable ports and applications both inbound and outbound as required (block inbound by default minimum). [Preventative]
Implement a backup solution for all user data. Restore must be tested periodically. Ideally, versioning or offline snapshots should be enabled to protect against ransomware. [Preventative]
All mobile devices should be updated to latest version of OS and device pass codes must be set (at least 6 digits). [Preventative]
Bonus Items
Install antivirus / anti-malware software on PCs and servers. Any IPS / IDS functionality would be good to apply. Solution should be set to update signatures automatically. [Preventative / Detective]
Bitlocker hard drive encryption should be enabled and enforced via GPO.[Preventative]
Application whitelisting using AppLocker with trusted publishers or hashes of known good applications. [Preventative]
Install SYSMON on all PCs and Servers. Configure for logging process creation, command line execution parameters, process creation, optionally network events. [Detective]