I'd also add
Restrict access to backup repositories to connections from specific known IP addresses only. i.e. the servers actively involved in backup and restore processes.
Restrict interactive login to the backup servers, backup admins to use a nominated backup management server with the Veeam console installed, not their regular general purpose system.
Depending on the scale of your environment and budget;
Put internal firewalls between end user networks, server networks and backup networks using separate IP ranges and VLANs.
Basically put some physical / logical separation between your users, admins, servers and storage where ever and whenever possible.
Microsoft, NetApp, Symantec, Veeam, Veritas and VMware certified professional
MCTS, MCSE, NCDA, NCIE-BR, ASC, SCS, VMTSP, VTS, VCP