Hi Teeraboon, you explained very well that is covering all important points of prevention of cyberattack to this scenario, so I should probably add two more ideas to prevent the attack and enchaining the security.
Access auditing and confidentiality agreements: to develop and implement an access auditing system to track and record all data access that can review audit logs for suspicious/unauthorized activity and may require all employees to sign annual confidentiality agreements, any unnecessary access should be disabled when task responsibilities change.