So a few questions.

Do you encrypt your hard drives? What happens when someone comes into the office and grabs the CPU. Anyone can get software on the web to wipe the login password to gain access to the client's data. 

Are you using a business email address or a personal email address. Most people pick a very weak password on personal email addresses whereas business emails have complexity rules that are enforced

Do you have a company perform phishing exercises to you. What about annual training of cybercrimes to keep up to date with trends.

Do you use a password management system to make sure that passwords are complex and are not used by different accounts.

Do you have security software installed that just incase something gets past the virus software, you would get an alert. What happens when someone brings in an affected computer to your establishment and installs software on the backside of your computer remotely to encrypt all of your files. Do you have backups