How you setup your network is as important as tasks, and will define tasks. For example:
- Firewall at each location (then keep them up to date and configured properly). You could do Antimaleware and other IPS functions at this level.
- Seperate Private and Guest networks. We have three: Church Owned (only computers and equipment that the church owns), Mobile (Staff BYOD/Personal devices), and Guest. The Mobile and Guest networks do not have open access into the Church Owned network. Do not give out password to Church Owned wireless. Ruckus can do Dynamic PSK so that each device has a unique password and can be revoked centrally.
- Email spam filtering and email archive. This can block malicious files and emails, as well as archive for compliance reasons.
- Web filter (not only protects against inappropriate sites, but blocks known malicious sites as well).
- Anitivirus on computers. Ensure they are up-to-date.
- WSUS for Windows to ensure security patches are being done.
- Keep browsers and apps up-to-date to ensure known vulnerabilities are patched.
- Train the staff on locking their computers as they leave their computer, as well as the basics of not opening or responding to anything they were not specifically expecting.
As you ensure your network is built with security in mind, keeping things up-to-date with upgrades, patches, etc, will become your regular tasks. Don't forget patching at all levels, from firewalls to switches to computers and servers, etc. And definitely Active Directory for centralized management.
I'm sure I'm missing a few things that others will recommend. Hope this helps.