The GDPR demands appropriate measures and also measures, that are state of the art. At the same time it is not prescribed what exactly has to be done, cf. Article 25 GDPR.
Appropriate here means that you need an up-to-date firewall, an up-to-date virus scanner and malware protection. You should also encrypt your data by default and test your fallback system on a regular basis to be able to recover backups in an emergency. Introducing a password policy (crucial here is the length!) and the establishment of different users and passwords for different areas are important contributions for data protection.