It is important to consider two key points when discussing security for your information systems: security is a process, not a destination, and you can never be 100% secure.
Security is a continual process of review, plan, implement, monitor, and repeat. It is not something you can implement once and then be done with. Whether implicitly or explicitly, some of your annual IT effort/budget should be dedicated to network security, installing patches, updating device firmware, replacing end-of-life equipment, etc. This is going to become an increasingly critical aspect of your business as the “Internet of Things” takes shape. With more low-cost network devices reaching the market, there will be an increased potential for vulnerabilities. Even if you think you are reasonably secure today, you won’t be a year from now if you don’t keep up your security practices.
While it’s crucial you keep up with the security process, no matter how much time, money, and effort you devote to security, you will never be 100% secure. 100% security is an unachievable asymptotic goal. You can get close, but you can never get all the way there. Moreover, for every 1% improvement you make on your security, that 1% becomes more expensive and laborious. You can easily become 90% secure, with fairly low expense and effort but achieving 95% security requires twice the cost and effort. To become 97% secure, requires twice the effort again and so on. Striking the right balance between costs and security is the ultimate goal.
One of our clients shared this analogy: there are Ninjas out there with the ways and means to do you in, if they wanted. However, the fact is you don’t go around fearing a ninja on every corner, because it is not worth their effort when there are easier targets out there. Instead, you take reasonable precautions based on your environment – lock the house, lock the car, keep aware of your surroundings, don’t walk down dark alleys, etc. You don’t hire body guards, wear bullet proof vests, armor plate your car, etc. You balance your security efforts with your threats.
The internet is a very risky environment, but it is also a large one, where many people don’t lock their house or car – or do so with very weak locks. So if you take reasonable efforts at common sense security measures (i.e. use a modern firewall, patch your servers, rotate passwords every 90 days, use complex passwords) most of the internet criminals are probably (although not guaranteed) going to go after the other targets who don’t. If you are a larger company, or you have a higher profile, you might consider putting in a higher level of security, since the threat is higher.