There are 6 principles that should be adopted when processing data under GDPR and IT security is in the final one. This means that you have to ensure appropriate safeguards are in place to stop the personal data you hold being accidentally or deliberately compromised.
Although the regulations say that you should take security very seriously it does also say you should take into account the cost of implementing extra security along with what the likely risks might be in someone getting hold of the data. It comes down to your organisation making an assessment of risk vs cost.
You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures, and undertake any required improvements.
However, you should remember that while the protection of your networks and information systems from attack is important, you also need to consider other things like physical and organisational security measures.