Hello
We use a MS AD , VPN’s /w Certificates, Gateway servers /w authentication software like DUO and ACL’s on switch’s.
Best advice I can give you is to use multiple security techniques . To be honest most, if not all can be hacked.
By stacking security measures this makes it harder to get access to sensitive data, and monitoring the network, you may catch an intrusions before harm can be done.
90% of the time if a issue arises it because someone clicked a link in email or Web UI that they should not have done, So education would be the next priority, or simple create firewall rule to prevent that.
EDIT:
I would start here…
Also check this post out.