Not exactly best practice, but...
How to protect business laptops on the open wifi networks?
We usually set up connection shortcut to corporate VPN so connections to corporate servers are encrypted. No plans to restrict access for other websites.
Is there any best practice on what to think when securing users
The easiest I can think of is to just buy them laptops with Win10 in S mode. In this way only UWP application downloaded from Microsoft Store can run and it means virus and malware can do no harm. However this also mean non-UWP LOB applications cannot be run locally and you should prepare RDS server for them to "Remote Desktop" in and run those applications. This is the best solution from IT support's perspective if your business already moved all the LOB application to cloud as web applications, and you company uses Azure-AD.
If this is not an option, then you go through the usual Least-User-Privilege checklists so any possible damage is on that user's file only. Of course proper backup with versioning is also required to prevent damage from ransomwares. Usual security advise such as "install antivirus" or "configure firewall to allow file share related ports on domain network only" applies.
(like don't click on the links that look suspicious or if you receive some link check it first)
This is not what I considered as securing users, but educating them so they know better. In this aspect some newsletter updating staffs what they should aware/suspect would be great.
Just note that even if you tell the users don't watch dancing bunnies, most likely some of them will still do it. (This link contains lots of advise that should be helpful for you, so you're recommended to read)