From a network POV, if you can't avoid RDP:
1. Only from a device owned and managed by your business. Make sure it is fully updated. Run some kind of AV. Follow some kind of end point management best practices with regards to security.
2. Only over a VPN tunnel.
3. Use long complex passwords for access to RDP. Ideally over 15 char. Passphrases are ideal so users can remember them.
Have your sys admins review the Microsoft RDP best practices and implement them as much as possible on the server end.