There is a saying in the security community: there are two types of organizations: those who have been breached, and those who do not yet know that they have been breached.
I will also let you in on a secret: not all breaches are avoidable, bad actors have too many tools and there are too many angles of attacks (but that does not mean you should not try).
First, you need keep your house tidy (know what you own, remove things you do not need and review at least monthly that everything is up to date). This is your passive defence.
Second, you need a good NGFW (Next Generation Firewall, you can read my previous post here for more details). This will block a good portion of the malware from coming in and will block attempts from malware that makes it through to call home to their C&C (Command & Control). This is your active defence.
Third, you need to keep a watchful eye on everything. This may sound impossible, but this is what SIEM (Security Information & Event Management) is for. It will collect logs from most [all] devices, Netflow data from your firewall, normalize the events, correlate all the information and present a complete picture of the incidents occurring in the overall environment. The better ones will even have an integrated Vulnerability Scanner to find weaknesses in your systems and act as Network and Host Intrusion Detection System (NIDS and HIDS).
The bad news: this is not easy if you try to do it all with a small IT team.
The good news: this can be easy if you leverage a Managed [Security] Service Provider that can do this with you or for you (some will even do it with no initial cost).
Quick recap:
Ping me if you have any questions!
Loïc