There is a lesson when looking at all the public security beaches. The biggest problems are lax processes. Big companies have them all the time. The security company talks about what a larger org can do but many of these have parallels for small practices.
You’re not going to stop a state actor but that’s not the likely threat. Equipment, updates, passwords, network config and open systems are simple to tighten down. Clean these things up and you’ve improved your security significantly.