Most small business security incidents are not the work of sophisticated attackers. They come from a missing backup, a reused password, or an old account that was never deactivated.
Start with four basics: offline or cloud backups tested at least quarterly, unique passwords stored in a password manager, two-factor authentication on email and financial systems, and a process for removing access when someone leaves.
Add endpoint protection, segment your network so guests and CCTV cannot reach the file server, and keep a short written incident plan that names who to call when something goes wrong.
Security is uncomfortable to invest in because nothing visible happens when it works. That is also exactly why it pays for itself.