Don't use an admin user for everyday work. Use a regular user instead.
Enable 2FA for CRM users. Force regular users to set up 2FA. Can be done at Administration > Authentication.
Can be done at Administration > Authentication. If you lost admin access and want to recover your password, set 'passwordRecoveryForAdminDisabled' to false in data/config.php.
Consider configuring password strength parameters (at Administration > Authentication).
Consider decreasing Auth Token Max Idle Time. Additionally, you can also specify Auth Token Lifetime.
Restrict the ability to upgrade and upload extensions via the UI. Set 'adminUpgradeDisabled' => true in data/config-internal.php.
Consider specifying an IP address whitelist. Parameters are available at: Administration > Authentication > Access.