Another bit to add in the future (since this has already happened twice), is to learn the basics of tripwire and get it running. It's useful at finding out what has occurred after a breach (which is useful in preventing it in the future), even if not much use in preventing them.