Growing a small business network like you are describing here is something that I deal with on a daily basis. The majority of my customers are small businesses just like yours, and every single one comes to this very point in their business technology needs.
A server is going to be your biggest change and upgrade right now, but it is absolutely necessary now if you wish to grow bigger. Up to 10 computers and reside on a simple workgroup, but larger than that needs a domain to operate properly. As you said, security and access restriction is also a major part of this which is where a domain can get much more beneficial.
So far there has been some talk about the roles you will need to have a server fulfill, such as printing, web, file sharing, domain, etc. It sounds like you have a need for a server to work as 1) domain controller, 2) storage server, 3) centralized backup management, and 4) centralized invoicing and purchasing system. This list will grow as your company grows, so you don't want to base your server requirements solely on those four roles, but anticipate additional growth such as the need for possible remote desktop session host for remote users to log in to, or even a secure FTP role for accessing data outside the network for customers.
You can achieve what you need with a single physical server, but do not skimp on it or you may regret not having the extra room to grow in the future. I've had great luck using the HP ProLiant ML110 G7 server before for several customers purchasing a first-time server. With the roles that you are looking at doing, one of these servers fully loaded should give you enough room to work with. However, you may seriously look at going with the ProLiant ML350p G8 instead, which can come with six-core hyperthreaded processors in up to two socket configurations for the extra performance headroom if you want to grow.
If you use Server 2012 Essentials, you will not have the ability to virtualize your servers. This means that all of your software installations, your domain controller, everything is installed and running on the physical hardware OS. If something happens to your server, your OS is completely dependent upon the underlying hardware, which makes recovery much more difficulty and time consuming as you basically have to have a spare identical server to move over to. If you step up to Server 2012 Standard, you gain the ability to do Hyper-V virtual machines. This can assist you greatly in compartmentalizing, which is highly recommended for ease of management. Think of it this way. Without virtualization, you have to install all of your software and all of your roles all under the same instance of the OS. If you later need to go and change your financial software, or lets say you have some invoicing software that ONLY works in Server 2008, then you'd have to get a whole second server for that, or you'd have to completely redo your server including all your domain and everything involved. Instead, with compartmentalizing, you can create a virtual machine which is responsible for certain roles, such as domain controller, and a separate virtual machine for your financial software. Now, the two are completely independent of one another, and if you need to change your system for your financial software it does not impact your domain or any other roles at all. This can get more costly due to licensing and needing a little extra hardware, but it is a huge improvement in the flexibility of your computer infrastructure.
What's more is virtualization helps to improve system recovery in the event that your server goes down. If you have another computer with Windows Server 2012 Standard or even just Windows 8 Professional, and your server goes down, you can move your virtual machine backups to that second computer, start them up, and it's like nothing happened. The virtual machines don't really rely on the underlying hardware, so you don't have to have them running on the same physical hardware if you move it to another machine. This can also help in upgrading or replacing physical hardware in the system. Let's say for budget reasons you decide to start with the cheaper ML110 G7 server and run two virtual machines on there. Two years down the road you have greatly expanded the business and need to add another two roles. You can either buy another server in addition, or you can buy one server that is more powerful like the ML350p G8. Now you just move your virtual machines over to the new machine and start them up, its fast and easy.
Now, all of this just addresses your server. There's a lot more to it though to improving your network. As was mentioned above, plan on replacing your Windows XP computer, and I'd also recommend replacing the Windows Vista computer, if not just upgrading it to Windows 7. It will make a big difference in ease of maintenance as well as user experience. What sort of network infrastructure do you have in place? Do you have a bunch of small daisy-chained 10/100 switches lying around here and there? I've had customers who wanted to spend more money than they needed to on a server and completely neglect the network switches or router that was more of a concern and in need of upgrades than the actual server. Look at getting a nice quality gigabit switch if you don't already have one.
Additionally, I'd suggest looking into a nice quality VPN router or firewall gateway. This is going to 1) give you added security from outside and internal threats to your network, 2) more flexibility and control over your network including splitting into multiple subnets or VLANs if you so choose, and 3) secure VPN remote access from outside your network to your internal network.
The VPN part is pretty big from what you have mentioned you are looking at possibly doing. For example if your business does open a second location, you can use one firewall at each location, set up a site-to-site VPN tunnel, and data and network resources (even printers) can be accessed from one office to the other just as if they were in the same network. You can do the same thing through setting up a group VPN for remote user login. You can set up an L2TP VPN server on most decent business VPN routers and firewalls, and configure individual user logins for employees. Then from their laptop or other mobile device, wherever they have internet access, they can log in to your router with a VPN client (this is even built in to Windows) and have a secure VPN network back to your offices. Again, I've had wonderful luck using the Sonicwall TZ series firewalls to do all of this and more, they are a very flexible and powerful device and quite cheap given the broad range of capabilities these devices have.
This has been a whole lot of information thrown at you, I know, but please feel free to ask questions. When I am consulting with my customers and businesses here there's often weeks that go into just discussing and researching what solutions work best for them! Good luck, and please feel free to let me know if you need some more information.