I agree with all those who unsubscribed in the answers and comments, but still I will answer with one piece of advice, which, perhaps in your case, can help a lot.
Separate and standardize everything and as much as possible. Those. literally, each subtask should be solved in an independent environment, ideally divided by hardware, but this is expensive (that is, roughly speaking, put a computer on a task) - working with banks, working with mail, working with the Internet, working with a client, working analytics, work with reports, work on setting up and administering the environment, lunches, toilets, planning meetings, .. sit down and write it all down on a piece of paper, thoughtfully, why, when, why, how.
Avoid collective hodgepodge, it should not be such that different employees work with different products, if you can do it in one. Those. if mail, then let everyone have one product and not ten (because everyone is used to their own). In no case should personal and work tasks be mixed, I'm not talking about a ban, I'm talking about separation and isolation.
The simplest and cheapest solution for isolation is virtualization and terminal servers. Believe me, if you put users to surf the abstract Internet on a separate machine, connecting to it via a terminal (rdp/vnc/..), which has no access to your local network and machine, then this will become an almost insurmountable obstacle for viruses of any kind (there are some nuances), moreover, these machines can be automatically cleaned up by regular means of virtualization tools (reset to default state, with automatic updates at night), this will be the best antivirus and quite simple to set up.
Let your mail and chats be in one sandbox, and the opening of web pages and documents that came from outside, in another, with closed access to each other not only by files but also by the network (one of the reasons why the software should be unified, setting these restrictions is easier ).
In fact, you really may need to transfer information between these zones, in most cases the usual clipboard buffer of your workplace can handle this (with reservations), but you still have to set up some ways of transferring information, so what and where to transfer should be controlled, ideally by the security department, or at least specialized software (if you are afraid of leaks of classified information, for example), but at least common sense. For example, you received a pdf or docx document, by mail, .. this is already an attack vector, and you need to open such documents in an isolated sandbox, but you need to work with them, so usually this is copying specific information and pasting it into your working documents, less often - loading these documents into your software or saving,
Do the same with other tasks, let them be separated as much as possible. I know people are accustomed to making a shared file cleaner available on the entire local network without any separation of rights, but this is the first attack vector and a huge hole for information leakage. Everyone should have access to exactly as much as he needs. Do not be lazy, set up and delimit, and there is nothing permanent, you won’t be able to set it up once and then not return to this issue, you will have to think and reconfigure (albeit much less than the first time), and this is not about knowledge of computer administration, it’s about the ability to formulate your tasks, because if you have an administrator, you just have to do all this only in human words, communicating with him.
ps I will be popped here now, but I repeat, sandbox isolation (based on virtual machines and several independent network segments) is not the most correct, but the simplest and cheapest solution available to small organizations that are not ready to pay for ready-made ERP solutions.

It's called "cargo cult". The meaning of this term is that people do some things without completely understanding the mechanisms of their work, but treating them as magical rituals, which, according to their belief, should lead to the desired result.
The use of Tor "for anonymity" when performing online actions that in themselves completely deanonymize you is the best example of this, but not the only one.
The rest is just the same magical actions. "I read that cleaning the registry is good for security" is no different from "I read that eating ginger is good for health". Or how someone buys himself the most expensive set of tools and climbs to fix something, despite the fact that the tools do not affect the fact that his hands are growing out of his ass and in the device of what he is going to repair, he does not understand nothing.
Try to hire a person who really understands information security. Although it will be difficult: this one will read your terms of reference, turn around and leave. And it will remain - one that will pour slang words for show-off and also put "magic" programs for you.

I will try to answer this stream of consciousness seriously.
Download and read Ogletree's books on information security, make a normal network, set up a DMZ, install a normal antivirus, set up a firewall. Don't do crap like " I've been reading Habr and Hacker and now I'll defend everything cool, ya cool backup ".
What you've done is overhead and mostly bad for security.