Companies who try to protect everything protect nothing.
I'm a meat and potatoes kinda guy. What's that mean? Stick with the basics and do them well. They've never done me wrong. There are reliable technologies and processes that I recommend for every company --build a strong foundation. Once done, identify holes that need fixing (based on risk) and fix them.
What are you afraid of most? Ransomware? Remote Access Trojans? What's most likely to attack you successfully --and hurt you the most? Ransomware can become an extinction event. So can not complying with the new government regulations.
Here's what I suggest…