1. Create a security policy — decide what does/doesn't matter
2. Train employees on security — just do the basic stuff, but all the time (strong passwords, 2FA)
3. Implement security measures — for what matters, take security very seriously
4. Use single sign-on — whether it's Google SSO/Okta/etc, you'll thank yourself later
5. Grant access on-demand — people generally don't need permanent access to sensitive systems, set up groups and grant people time-bounded roles
