How much is enough?
You may not be in the information technology business, but we are all users and the impacts of outages today impact all of us, including emergency managers.
For the basics, see this short article, CIOs Want to Know — When Are We Done with IT Disaster Recovery?
The short answer to the question above is, "Never!" The poor will always be with us, and cybersecurity is now one of the threats that will never be "beaten." So the battle will continue as the threat evolves, and our protective measures must also mature.
A pretty basic action is to "install the patches" that are issued by providers. It is one of the biggest gaps we have — not implementing protective measures when they become available.