If you could do something this year that I think would have the most impact for your users especially if you are a company that offers services requiring web authentication. Two factor authentication will have a dramatic effect on your posture. I am not saying that it is new, but I think it is coming to the point that it should be the norm. If it is some sort of device with a rolling number, token or even some sort of one time pad.
Something this size I think is an excellent choice. Just have it on your key chain, pop it in the USB port like a car key and be logged in to your web services. Something you know, your password and something you have, your usb key. There is still multiple ways that you can attack a system like this to do some bad, like piggy backing on the already authenticated session to do what you need like transferring money out of an account. This still would make standard key loggers pretty much useless in stealing data alone.