Information security experts are always very realistic. They do not expect that things will go off all right. The bad will happen without doubt. Therefore, it is necessary to calculate the probability, figure out what to do in the case of a real incident and how to reduce the chances to reach something bad. As well as how much it will cost.
That is why, the basis is the threat model, which describes each type of threat, expected consequences and measures to prevent them in the smallest details. If it becomes clear that the probability of the event times the damage is above the cost of prevention, it is obvious that one must develop the infrastructure security.
Remember the relatively recent epidemic of locker virus. Nothing more or less, but all computers are locked, including counters, ticket printing machines at railway stations, terminals in the pharmacies and workplaces with sensitive data accumulated over the years. We know the cases, when in the face of the threat of spread of the epidemic, banks immediately turned off entire branches (and lost credit history of the customers at those branches).
An open network is also a way to knock you out for a couple of days, weeks or months by DDoS attacks. A competitor can attack retail process and stop information exchange in it (i.e. there will be no access to inventory balances on any of the warehouses, for example), the mass media company may be just blocked for a week (and that's the end of popularity), construction companies are knocked out before the tenders and so on. Falling down in the seasonal peak for a couple of days means losing revenue for half a year as a rule. Therefore, it is worth thinking about security. At the very least, it will pay off.
