How do I get the best cyber security to protect my files for my small company?

Backup, backup, backup. and OneDrive is not a backup. You need a backup from days, weeks, months ago because we saw OneDrive files being encrypted as well with Ransomware (and even if history is available, it is not the best way to recover).

You also need something that will filter your emails for phishing and malware. If you are on Office 365, you should subscribe to the Advanced Threat Protection (ATP).

You can also, once in a while, have pentests done by professionals to help you discover the weakness of your network.

And finally, and probably the most important, you need to train your users to have a good behavior by not opening emails that look suspicious (and how to recognize them), strong passwords (and better with MFA), ... Have a look at https://www.knowbe4.com/ and https://terranovasecurity.com/

You need multi-level protection, which is also called "layered defence" or "defense in depth" (you can look that up very easily.

Layered defense means, building smart and easy defense on the different nodes where your data passes

• on internet
• edge security, connecting to internet
• your internet facing servers
• your internal network
• your internal servers
• your workstations
• your mobile devices
• your users
• your data

It starts with

• keeping all your systems up to date with patches
• basic security on all systems
• firewalls up to date an active on all systems
• anti malware and anti virus on all systems
• control software installation on all systems (against malicious software)
• use multifactor authentication where possible
• integrate with cloud where possible 
• separate office users from power & admin users
• ... 

You should really look to implement a comprehensive security framework such as the CIS Controls to mitigate the various attack vectors. There are a number of key areas to cover, and its a continuous effort to minimize your risk and likelihood of compromise, not a one off request for suggested software solutions. I would recommend the CIS controls as a good framework:
https://www.sans.org/blog/cis-controls-v8/

The CIS Controls (formerly known as Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks.

If cyber security is not your specialist area, and you have no staffing budget to bring in an expert from that field, you could perhaps look towards a 3rd party penetration testing company to come in and identify your current vulnerabilities and make suggestions on weak spots and areas for improvement. Definitely not an area to dabble with if loss of your company files and data could have non-compliance penalties attached to it (and therefore huge fines), as well as the reputational damage to your company brand.

Is the data your company processes, subject to specific regulations? I am surprised you are not already audited for compliance and security posture. There seems to be very few companies who are not subject to some form of cyber security regulations. You gave some clues about the end user devices in your company, but nothing about where your company data resides?

Here are some interesting resources for implementing cybersecurity for small entreprises:

• https://www.fcc.gov/general/cybersecurity-small-business
• https://www.ncsc.gov.uk/collection/small-business-guide
• https://www.kaspersky.com/resource-center/preemptive-safety/small-business-cyber-security
• https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security/security-for-smes

ENISA has a SME cloud security tool which can easily guide you, and you can pick some ideas to improve your security...
https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security/security-for-smes/sme-guide-tool

Worthy to check out the Stay Safe Online, powered by the National Cyber Security Alliance, is full of tools and resources to help small business owners protect their businesses, employees and customers from cyberattacks, data loss and other online threats.

You can learn how to assess your risks, monitor threats, implement a cybersecurity plan and train employees. You'll also learn what to do after an attack, and how to report one to the proper authorities to recoup any losses and bring attackers to justice.

I know it can get overwhelming on the measures so the Federal Communication Commission's Small Biz Cyberplanner can guide you in the right direction. Just fill in your information, indicating your areas of concern, and the planner will automatically generate a custom cybersecurity plan with expert advice for your business. Areas it covers include privacy and data security, scams and fraud, network security, website security, email, mobile devices, and employees.

The FCC also released an updated one-page Cybersecurity Tip Sheet which outlines the top ten ways entrepreneurs can protect their companies – and customers – from cyber attack.

You asked, "How do I protect my small business against hackers stealing my files."

1) Only run as non-admin user.

2) Backup your files regularly.

3) Never open an email attachment.

4) Alternative to #2, is to run an incoming MTA policy of block all email with any attachments that can run - exe, scripts, zip - there are many attachment extensions which are suspicious.

5) Primary consideration...

If you run as an admin user, then open/run a file attachment, then you've given permission to the hacker to have all your data.

Primary consideration, is you... are your security...

All the security in the world can be defeated by minor human actions.

Be aware you are your last line of security defense.

One key thing is always encrypt your important files and even if lost it remains as encrypted. But of course if the machine is been compromised, things can still get out into Internet and remotely.

So endpoint security and network chokepoint is rather critical beside data security that I mentioned. Solutioning wise, the links shared will be handy. You need some defense in depth in place and as expert mentioned human is last line of defence. Once "human firewall" is compromised the rest of layer needs to kick in. 

First you need to keep the hackers out.

How they get in is usually by finding a security vulnerability and exploiting it by having a user execute something ++that looks fine but is actually a trojan horse..  Here user education is the key.  Also ensure the os and software is maintained up to date.  Blackhat hackers typically reverse engineer updates to find what was fixed. and use this information to create an exploit that attacks unpatched machines.

when you say steal my data, it can mean many things in this digital world. Its not like shoplifting a candy bar as the candy bar never leaves the premises but a copy of it does. If you count the candy bars the count is correct.

Backups cannot be stressed enough..
Comparison of backup[ policies

Then there is data loss prevention.  This prevents inadvertent use of email printing and sometimes even viewing of confidential data

if I use a 3rd party to help implement   security, how would I go about selecting a company? Does anyone have a suggestion? There are so many online to pick from.

Thanks to everyone who helped me! You all deserve credit for your expertise!!!