You can spend lots of money and time defining and executing a cyber security strategy. That being said, here are three things that can be done this week to dramatically improve your organization's defenses.
This isn't a list of goals for the year, if you really want to, you can get this done today.
1. Require verbal confirmation of financial requests (free)
You'd be amazed by how many organizations get duped by this one. An email sent to people in your finance group will look like it comes from a company's executive. The email will direct the receiver to wire money to an account or to buy a bunch of iTunes giftcards. The easy way to guard against this is to require verbal confirmation of these transactions.
2. Turn on "multi-factor authentication" (you probably already paid for it)
Gsuite and Office365 offer this feature, it just needs to be turned on. In short, if your email notices a login from a new device or location, it will text you to confirm that you are trying to login. In other words, a European hacker would also need access to your phone even if they managed to grab your ID and Password.
3. Phishing simulation / training (low cost)
The easiest way into a company if via a clever phishing email. Teach your team to spot suspicious emails by sending them simulated phishing emails. If they click on a simulated phish, they'll get sent to a web based training explaining to them why they shouldn't have clicked on that email. Over time your team gets better and better at spotting these malicious emails. Small companies can subscribe to training services for just a few dollars a month for each employee.