$500 with two brand new 3TB drives, man. RAID 1 the two drives and plug it into a UPS if you want it to stay up "all the time". (Synology releases patches about once a month. Not all are useful or required, depending on what other software you're using on them. Side benefit... the thing also just became your streaming music server for the office. LOL... they even have their own -- albeit not the smartest -- Dropbox clone that can sync directories from user machines to directories on the NAS).
Synology DS216+II NAS DiskStation, Diskless
https://www.amazon.com/dp/B01EMQYGWA/ref=cm_sw_r_cp_tai_Zn5gzbYASK7ZZ
You make it a network file share for windows machines and you make folks put important files on it.
You get an Amazon S3 bucket, or Glacier bucket (I like the versioning on the S3 bucket better) and tell the Synology to back up to it.
As Rich said, you can use something on the windows machines (or manual copies) to version on the local Synology.
If you think you need that much versioning.
Nightly versions on the S3 bucket with the ability to restore them back to the Synology with again, point and click, is probably enough for most small place's really important files.
All point and click, no Linux knowledge required. And you gained solid backups of important files both on and off site in $500 plus maybe $20/mo at Amazon if you filled the entire 3TB mirrored drive pair. More like $5 for a non-full filesystem.
The transports (POP, IMAP) have absolutely nothing to do with whether or not the vendor provides quality spam, malware/phishing detection, and virus filters at the server. Even GMail/ GSuite supports POP transport if you turn it on.
It's the quality of the provider and how well they run their mail servers, and isn't related at all to what transportation protocol is used between the server and the client.
All sorts of mail servers out there are "naked" and expect you to handle the virus and other problems at the client. They're cheap. Really cheap. Adding server side virus scanning, malware scanning, and phishing detection, isn't all that expensive though.
As far as cloud type vendors go, all of them have some sort of protection layer in their systems, but many give no user, or no admin access to tweak them and/or they're known as being fairly ineffective (hairy eyeball looking at O365 here...). Google is probably the most solid, but you can buy cloud based scanning through various security vendors for your inbound and outbound mail to travel through before and after your choice of "naked" mail server, also. All sorts of options.
I will admit, I know Rich doesn't like the evil Borg at Google, but linking our Active Directory for user auth to GSuite and using them for mail, was the best IT decision, behind moving servers to AWS, that we've made in years. The few times a message has gone "missing" a quick look in the audit logs reveals... "Yeah, every user sending from that little company today has attached malware. You might want to let them know, that's why we aren't receiving anything from them. Want me to send over the logs so you can send them a copy? It shows what they're infected with. Okay, thanks, bye."
Now we are playing with Google's Team Drive stuff where Amazon S3 and other AWS tools aren't the correct solution. (S3 is bloody amazing for server farms.) It's pretty good. It goes from just "pretty good" to "oh hell yes" when we factor in maintenance and sysadmin chores of a local box to do similar functionality.
