A useful approach to begin with is to build a risk register , because managing controls that do not align to a risk your business faces is ultimately counterproductive. Even the smallest of SMEs should have a risk register, and there are enough templates online to give you a starter for 10. These should range all the way from minor glitches to major incidents that could destroy the company.
An example at the extreme end for a small organisation could be that an attacker gains access and destroys all customer account data. While this may appear to be unlikely for your organisation, there is always a chance that it could happen, and so it is worth assessing. If the assessment shows your company would go out of business due to this, then various controls are available to mitigate the risk, including intelligence , intrusion detection, perimeter controls, incident response , and on and offline backups , to name just one from each of the US National Institute of Standards and Techonology (Nist) Cybersecurity Framework areas: identify, protect, detect, respond and recover.
You should also be looking at data leakage prevention services, as fines under the General Data Protection Regulation (GDPR) are much bigger than they were under the Data Protection Act 1998. Can you manage this in-house?
Each of those five control areas mentioned are available as outsourced services, and each has a scope and key indicators to help you understand how effective they may be, and whether they will do what is required. For example, a firewall the key perimeter defence against attackers is still a necessary defence. However, it won’t help you spot phishing attacks against your staff, so you may also need to consider protection from malicious links or code in emails, which is where anti-malware and anti-phishing services come in, along with awareness training, and so on.