Your CRM Data are vital for your business. To protect them is an obvious priority. No mather if your CRM runs on Premise or on a Cloud service: if someone tries to force your passwords, and you don’t take any countermeasure, soon or later, your CRM Data will at the mercy of the attacker.
But if you act properly there’s nothing to worry about.

The first thing in order to achieve that is to enforce users to use strong passwords or to generate them using autocreation tools.
You can also ask to your IT manager to ban some IP addresses from where suspicious attempts come. This require that you or your workmate keep an eye on potentially fraudulent login attempts tracking such behavior on your Server or on your Local Net proxy.
If you are on a hosted environment, you can use a tool like cPanel > IP Address Deny Manager:

This obviously requires that you are aware of which is the IP of the attacker, or its IP range. So it could take time to prevent further intrusions. Best choice is always to automate this flow; this will let your system protected even if the “IT Manager is on holydays”.

Another difficult task you can experience, if your system is accessed from a large set of IPs, potentially from different country, is to check for failed login attempts.  To do so, one would need to check directly on the CRM log. But there is another problem: SugarCRM itself doesn’t allow you to know from where a suspicious attempt came.

I.e. a failed attempt on “admin” user would add on sugarcrm.log two rows like:

Fri Mar 3 19:00:00 2017 [35403][-none-][FATAL] SECURITY: User authentication for admin failed
Fri Mar 3 19:00:00 2017 [35403][-none-][FATAL] FAILED LOGIN:attempts[1] - admin

that is simply ineffective.