This is a very common question that we hear from our clients all the time. You can literally spend hundreds of thousands of dollars employing the latest in managed firewalls, anti-malware, etc. However, as you spend more, this follows the law of diminishing returns - i.e. the first thousand will bring you from zero security to 75%, but the last thousand may only bring about a 1% improvement. So where to draw the line?
We always recommend that backup and restore capabilities be implemented before any spend on security. In other words, let's first focus on restoring from a potential attack before focusing on preventing the attack. Local backups, cloud backups, virtualization, etc. can all be employed to assist in the backup/restore scheme.
Thought of another way - large corporation like Citibank, Yahoo, Visa & Mastercard have all suffered data breaches, and they spend millions on I.T. security. Are you willing or able to outspend them? In addition, society is getting used to this almost-daily occurrence and thus it's not the PR-spectacle that it used to be and unlikely to affect your revenue significantly. Data loss on the other hand, will most definitely affect your revenue.
So focus on data backup first and have a regular test/restore procedure in place to verify. Then once it is all set, spend on security to whatever your budget allows, and don't lose sleep over it.