"There is no reason anyone would attack our servers, so we are ok" is not a valid information security practice.