Devices that access corporate data need to be known, tracked, updated and managed by policy (access by time or day, or ability to copy files). Most infections are due to vulnerabilities that have been known and patched in the last few months. Updates are key.
Use telemetry to detect unusual anomalies on the network and block bad behavior. The anomaly can be code that is trying to copy or encrypt all of your data out of the office (or an employee)
Encrypt sensitive data while it is at rest in a database and when it moves across the organization.
Because the bad actors can be inside your network for weeks at a time, it’s helpful to have good logging enabled. Alerts on these events also gets others involved in stopping a possible silent breach in process.
Parcel off parts of the network into different areas, so one is infected, it can’t spread to other locations.
Users can graduate from being cybersecurity liabilities to guardians of the network. Training sessions followed up by small, infrequent testing can keep users sharp and on the lookout for strange actors in the digital world. If you see something, say something.
When all else fails, have an entire snapshot of all the data you own; both on-premise and outside of the building for safety. Have a disaster recovery action plan as well as a cybersecurity response plan.