Remember -- all the policies in the world are PASSIVE and by themselves do absolutely nothing. The active part is the educated user who READS and follows each policy every day.
As the company grows and staff is added to create the I.T.(information technology) department, you need to budget immediately for a Security Czar who will manage ALL security devices, policies and how/who gets access to what. DO NOT SKIP THIS STEP.