IME, a second server with a RAID1 or RAID5 (more economical) array is probably the best solution. There are some low-cost NAS devices, but security is usually an issue with these. Not only are they easily disconnected from the network (i.e., easily stolen), many of the ones I've seen don't participate in the domain security and therefore the files are not as secure to begin with. In large corporations, NAS's or SAN's would be in a locked file room, but I doubt you have that physical security in such a small office.
If you have enough physical drive bays within your existing server, you could conceivably add another RAID controller card inside that server. However, there are other good arguments for having a second server, since it would provide some redundancy that you are currently lacking. Right now, if your domain controller goes down, your entire system would be down and all of your documents unavailable until you could get new hardware and restore everything. With a second server, you could make it a domain controller and DNS server as well, so that your network would still operate if one of the servers failed.