A Risk Assessment should tell you what needs to be done. Implementing Safeguards is the doing. Some Safeguards are mandatory. The ones I consider most important include:
Customer data needs to be encrypted both in transit and at rest. Fortunately, many software applications have system settings that can be configured to accomplish this at no cost. A review of the systems inventory should shed some light on where the data resides the requires encryption.
Multi-Factor Authentication (MFA)
This is a big one. The factors include:
Knowledge, such as knowing a password.
Possession, such as a one-time code sent to a smartphone that you possess
Inherence, such as a fingerprint, facial, or retina scan.
Access to customer data requires the use of more than one type of factor. For example, a Knowledge Factor like a password and an Inherence Factor like a fingerprint. Two knowledge factors won't do.
What the rule calls Continuous Monitoring is commonly called Endpoint Detection and Response or EDR in the IT world. It involves engaging a Security Operation Center or SOC to monitor your network 24/7/365 to detect intrusion attempts and shut them down. It is not cheap but it's very effective.