For any large company, you’ve either been hacked and are working through mitigation or you just haven’t realized it yet. If you’re a small company or business then you have fewer people going after you. So common sense security will help a great deal.
We see frequent and constant security breaks, hacks, and lapses in our news feed. The notion of complete security just does not exist. So how does a small business, a small medical practice, a home health agency deal with this complexity given that not even large wealthy companies seem immune.
The approach is to minimize risk. Have a small footprint, limit the number of trusted access points, limit US high quality vendors, use 2FA preferably with physical keys. If you can’t get the physical keys then use authenticator apps. Avoid SMS verifications unless that is the only option available. Last item is to use a password manager with active processes to not use duplicate passwords and only use system generated passwords.