A Risk Assessment should tell you what needs to be done. Implementing Safeguards is the doing. Some Safeguards are mandatory. The ones I consider most important include:

Encryption

Customer data needs to be encrypted both in transit and at rest. Fortunately, many software applications have system settings that can be configured to accomplish this at no cost. A review of the systems inventory should shed some light on where the data resides the requires encryption.

Multi-Factor Authentication (MFA)

This is a big one. The factors include:

• Knowledge, such as knowing a password.

• Possession, such as a one-time code sent to a smartphone that you possess

• Inherence, such as a fingerprint, facial, or retina scan.

Access to customer data requires the use of more than one type of factor. For example, a Knowledge Factor like a password and an Inherence Factor like a fingerprint. Two knowledge factors won't do.

Continuous Monitoring

What the rule calls Continuous Monitoring is commonly called Endpoint Detection and Response or EDR in the IT world. It involves engaging a Security Operation Center or SOC to monitor your network 24/7/365 to detect intrusion attempts and shut them down. It is not cheap but it's very effective.