cyber.philosohackNot a fan of top x lists, but here is a top five list (doh) of things you could do if you have influence on a system you want to improve the security of, and are starting out, or you may want to ask folks who look after your security...
1. Protect people from phishing, try not to just rely on people spotting social engineering
2. Control privileged accounts, remove admin rights and allow by exception
3. Keep devices and software up-to-date, enable auto updates if you can
4. Make sure your partners (suppliers) are protecting your data, some clues what to ask in this list
5. Check authentication methods, enable MFA (multi factor authentication) where available
This is all easier said than done and depends on context 
arthc