The GDPR requires appropriate measures and also measures that are state of the art. However, this does not prescribe exactly what should be done, cf. Article 25 GDPR.
However, adequate here means that at least an up-to-date firewall, virus scanner and malware protection are required. Encryption of data should also be standard. You should also test your backup system regularly to be able to restore backups in case of an emergency. The introduction of password rules (the length is crucial here!) and also the definition of different users and passwords for different areas are important steps for data protection.