I would recommend limiting admin access to a set of IP addresses which will make sure that no-one outside of the business can log in. You could also use a 2 factor-authentication extension.
Is your admin on https? That's also recommended.
If it's not that, then someone might be being able to gain access through a poorly protected server or a custom extension that has a security weakness. So I would recommend reviewing all extensions for weaknesses like SQL injection.
If you are not using misc scripts for anything else, you could disable it from outputting to the site by removing it from the theme. There's probably still other areas where an attacker could inflict damage though.
---- If you've found one of my answers useful, please give "Kudos" or "Accept as Solution" as appropriate. Thanks!