nongv, make very very sure your hosts are getting OS patches (Windows, right?) automatically. In a bigger environment, you'd want to do your own update server, test things first, and then push 'em out - at your scale, automatic updates and some by-hand periodic inspections would probably be more sensible. In Windows land, many security problems that are heavy problems by volume are exploiting problems for which there's already a patch.
Make sure you have good anti-virus software, installed on every box and getting updates automatically. Again, inspect periodically. This ties back with the above patching needs.
Make sure you have server-side email attachment virus scanning and probably just plain old filtering. Attachment trojan horses are rampant on the Internet. The first time I found out that I was getting hundreds of Windows virus emails in my box and the virus spread solely based on stupid users who open the attachment, I was NOT a happy camper. Apparently user stupidity is a very good carrier. Make sure your users are educated about attachments, too.
A software firewall on every PC is a good idea. It's an extra layer of defense with your existing network firewall, and it wraps applications. It will also often block or make evident spyware and viruses and other network programs that aren't supposed to be there.
What kind of router/firewall do you have? Most of the SOHO ones are okay, not super great but not horrible. But if you can give more details folks will happily tell you the good and bad about the box you have.
Inside your network, use a switch, not a hub. Helps, not a cure-all, but makes some things harder.