Short of that, make sure to (at least) cover the basics:
- Ask everyone to use a trusted password manager and strong, unique password for everything. Avoid shared accounts and shared passwords.
- Enable 2FA everywhere, strongly prefer authentication apps or even better, hardware tokens over SMS. Use SMS 2FA only as a last resort.
- Have everyone go through cyber security awareness training. Many attacks start off as (spear) phishing emails and/or various social engineering shenanigans.
- Update every piece of software obsessively. That includes everything from workstations and phones to servers, VPNs, routers and printers. Do not use any device which isn't supported anymore.
It's going to be worth doing threat modeling for different things, but a lot of operational problems can be solved with this and it is self-hosted