When I recommend to clients to invest into their IT security, I often get to hear excuses:
All of them are based on the assumption that nothing will happen. And if you have been in business for a while and nothing has happened yet, you might feel that this assumption is indeed true.
No two attacks are equal. However, there are two main types of attack: The targeted attack and the drive-by attack.
The targeted attack is a game of "let's see if you can stop me". If someone is motivated enough, they will get through your defenses. However, that should not cause you to throw the towel just yet. Most targeted attacks are executed by disgruntled employees and therefore there is a fairly high chance that you are not dealing with an experienced intruder. A little bit of Due Diligence will get you far along the road to protection. (If it ever comes to a lawsuit, Due Diligence will also weigh in significantly in your favor.)
The drive-by attack is nasty. It is nasty because there was no warning sign and you were selected out of the blue. Or, were there warning signs? Wasn't there this security expert who told you a year ago that you really needed to close those gaps?
In a drive-by attack an intruder, often a so-called script-kiddy, is trying to find a target based on a specific vulnerability that he just happen to know about. Take for example SQL injection. Most websites and applications are vulnerable to it. In fact, injection vulnerabilities have been leading the list of vulnerabilities for years. (See for example owasp top-10.)
Because SQL injection is so well "established" in the wild, there are tools available that automatically crawl the web to find vulnerable sites. After a site is discovered that way, the attacker spends a little time to try to "get in". There are many reasons that drive this type of attacker, but often they are just looking for (questionable) fame. For that, the attacker has to publish proof of success. That proof can be a list of passwords or credit card or health related data. Depending on their sophistication, they might also delete all your data in an attempt to hide their attack. That action is based on the hope that if the database is gone, any audit logs are gone with it.
So, why is a company selected for a drive-by attack? Not because it has a lot of valuable data, but because it did not have a lock on the door.
If a breach in your system happens and you store any type of sensitive information like credit card numbers or health related data, the law in most countries requires you to make the breach public and in addition notify each affected person individually. This can potentially cost you a lot of money, but more importantly, it will cost you customer trust. The total cost of a breach can easily go into the millions. In fact, there have been many cases over the last few years that cost each affected company more than ten million USD. That makes the penalties look small (Penalties e.g. for credit card data related breaches in the US start at 100,000 USD.) But if you are a small business, such a penalty alone can cause your operations to crumble.
However, I would like you not to look at the impact that a breach might have on your business. I would like you to look at the impact that a breach has on your customers. If the breach involved "just" a list of emails and passwords, the impact can already be tremendous. If they act quickly enough, they just have to spend hours changing their password everywhere it was used (hint: do not reuse passwords). But if they did not react in time, the attacker might take over their email account and cause further damage from there. People that are affected by this easily have to spend days to get everything back in order.
If the breach involved credit card data, it might lead to identity theft, which can cost the victim thousands and will potentially take years to clean up. If health data is involved, depending on the circumstances it can even cause an affected person to lose her job.
While you might think that you can handle the penalties and costs, if something bad should ever happen, the effects on your customers, the very people that trusted you with their data, might be disastrous.
Do not hide behind empty excuses. Do not assume that it will never happen to you. Instead, go and invest a little bit into your IT security. Remember, Due Diligence goes a long way.