Incorporate regular corporate application server backups. These should be complimented with automated backups of workstations and laptops.
Make the encryption of hard drives on all corporate devices and BYOD a standard corporate process. Investigate the many two-factor authentication solution available in the market.
Data should also be encrypted. This should be applied to data in transit (data during send processes), and storage (both on a mobile device and desktop/server). Levels of encryption need to reflect the importance of a particular dataset, and the impact of it being accessed by unauthorised parties.
To avoid information files being saved onto laptops or in fileshares, Citrix or VM software should be used where possible to centralise data into key hubs that can be protected and controlled more easily. If any single access point, such as a laptop, is infected, the central data store is not compromised, while the laptop can be blocked.
Data can also be segregated, with different layers having different levels of security based on their sensitivity and importance to the business. This means that a breach does not necessarily lead to all information being accessed.
One of the most common and easily implemented security measures patch management. Suppliers and researchers continually develop security patches and critical updates to correct software flaws and vulnerabilities.
An organisations failure to update and implement these patches (ina timely fashion), remain exposed to attack and leakage until the patch is applied.
At a minimum patch management should take place at least once a week. All hardware (new and existing) should be checked and default factory passwords changed/patched.
Plans and policies
A disaster recovery plan prepares management to make informed and timely decisions regarding that business-critical functions. Such plans are critical to minimise impact.
Equally they delegate role based tasks across the business ecosystem to those individuals best equipped to handle the crisis and desired response.
When creating such a protocol any plan needs to undergo business continuity testing.
Plans should be supplemented with relevant business controls, such as the ability to isolate and quickly quarantine individual machines that are infected, to restrict the impact of further contamination.
Whilst the above 5 steps will strengthen your business's resilience, there is no complete solution. Research the insurance market and look to take some risk off your balance sheet with the purchase of a cyber insurance policy. Why not start your research here https://www.cyber-insure.com/quote/