Ensure you have a good building security plan in place to try and prevent outsiders from entering. Then ensure all wiring closets and/or other places where the network infrastructure components are placed have been physically secured from both the public and employees. Use door and cabinet locks. Verify that Ethernet cabling is run out of sight and isn't easily accessible; the same with wireless access points. Disconnect unused Ethernet ports, physically or via switch/router configuration, especially those in the public areas of the building.
4. Consider MAC address filtering
One major security issue of the wired side of network is the lack of a quick and easy authentication and/or encryption method; people can just plug in and use the network. On the wireless side you have at least WPA2-Personal (PSK) that's easy to deploy.
Although MAC address filtering can be bypassed by a determined hacker, it can serve as the first layer of security. It won't completely stop a hacker, but it can help you prevent an employee, for instance, from causing a potentially serious security hole, like allowing a guest to plug into the private network. It can also give you more control over which devices are on the network. But don't let it give you a false sense of security, and be prepared to keep the approved MAC address list up-to-date.
5. Implement VLANs to segregate traffic
If you're working with a smaller network that hasn't yet been segmented into virtual LANs, consider making the change. You can utilize VLANs to group Ethernet ports, wireless access points, and users among multiple virtual networks.
Perhaps use VLANs to separate the network by traffic type (general access, VoIP, SAN, DMZ) for performance or design reasons and/or user type (employees, management, guests) for security reasons. VLANs are especially useful when configured for dynamic assignment. For instance, you could plug in your laptop anywhere on the network or via Wi-Fi and automatically be put onto your assigned VLAN. This can be achieved via MAC address tagging or a more secure option would be to use 802.1X authentication.
To use VLANs, your router and switches must support it: look for the IEEE 802.1Q support in the product specs. And for wireless access points, you'll likely want those that support both VLAN tagging and multiple SSIDs. With multiple SSIDs you have the ability to offer multiple virtual WLANs that can be assigned to a certain VLAN.
6. Use 802.1X for authentication
Authentication and encryption on the wired side of the network are often ignored due to the complexity involved. It's IT common sense to encrypt wireless connections, but don't forget or ignore the wired side. A local hacker could possibly plug into your network with nothing stopping them from sending or receiving.
Though deploying 802.1X authentication wouldn't encrypt the Ethernet traffic, it would at least stop them from sending on the network or accessing any resources until they've provided login credentials. And you can utilize the authentication on the wireless side as well, to implement enterprise-level WPA2 security with AES encryption, which has many benefits over using the personal-level (PSK) of WPA2.
Another great benefit of 802.1X authentication is the ability to dynamically assign users to VLANs.