Disable the default admin user. Create a named user per engineer with strong unique passwords.
Restrict winbox/ssh to your office subnet only. Enable Drop on all other source addresses.
Rotate admin passwords quarterly — use a generator like the one in our tools section.