Two things:
1) DO NOT ignore two-factor authentication for any user. Just one weak link can cause you £60,000 (or more).
2) Report breaches on time, in accordance with the law(s) you are required to obey.
The U.K. ICO (Information Commissioner's Office) fined a law firm £60,000 after a 2022 ransomware attack leaked sensitive client data, including DNA tests and information about children and victims. The investigation found that the law firm failed to protect data properly, used an outdated account without two-factor authentication, and waited too long to report the breach. The ICO said protecting personal information is a legal duty, and the firm’s mistakes led to serious risks. The firm can appeal the fine but has not commented yet.
Headlines:
"Firm Failed to Close Outdated User Account, Waited 43 Days to Notify Regulators"
"Hackers in a 2022 ransomware attack stole 32.4 gigabytes of data from the law firm and later posted on the darkweb. The breach affected 791 people and contained information about 306 clients including DNA testing data, details on children and victims of sexual offenses."