Are you sure that it needs to be protected from targeted attacks? I think small business first of all needs to be protected from viruses and, most importantly, ransomware, respectively, install antiviruses, cut user rights, prohibit launches from tmp. Yes, and the main data must be kept somewhere in reserve (or more reliably), I would still think about the server for balls and accounting ..

At a minimum, put a firewall piece of iron

1. Properly configured OS (if win 10, then you will have to disable tracking in addition to ports ..)
2. Closing ports or installing Firewall https://2ip.ru/port-scanner/
https://2ip.ru/soft/firewall /
3. The best way is to call a security specialist to close all open ports on 40 computers.

The question was about one thing, and the text about another!)
What do you mean by information leakage:
- information leak from the company to the outside?
- external influence that will affect the leakage of information?

I think before asking the question "how?", It is worth answering the question "what?".
Conduct a "minor" audit:
- Identification of information assets
- Identification of threats to assets
- Risk assessment
- ... and now ... Selecting measures to reduce risks.
You can read more about this in the ISO 27000 series of standards, and you can start from here .

In this country, it is quite traditional to take documents home to “work”. So DLP, perhaps. I would buy.