2FA and unique passwords.
Monitor active sessions.
Encryption, least privilege.
Incident response procedures.