It is not enough anymore to take a defensive stance only against cyber attacks – preparations have to be done for maintaining operations and continue business services despite (successful) cyber attacks.
The focus should be on the most business critical assets and ressources. Where are these, how are they protected and how are they backed up? How soon can we bring the services up again after suffering a major cyber attack, eg. a ransomware attack that encrypts some or a all of the data involved?
Also any third party supplying critical services or ressources should be included in these considerations.
Once you have a strategy and incident response plan, this also needs regular verification and you should perform real life tests to make sure the plans also work in reality.