Comment by codingdave

Risk management is not (always) about prevention as much as it is about reaction and mitigation.

Most nefarious attacks on sites/apps are occasional or one-time things. As an example, I used to work on a site that would get DDOSed a few times a year. I'm not sure why we were targeted, but rather than move our entire weird old legacy infrastructure to a vendor who could mitigate DDOS attacks, we had standard actions to take: Call our server dude, roll traffic to the backup data center, id the IPs at fault, add them to our block list, inform partners and customers to let us know if the new IP blocks affected them.

It was an annoyance, but not a disaster. That is the level of preparation you want - enough to just be annoyed when bad things happen, not demolished.

That should not stop you from prevention, either, of course - if you want to be proactive about such things, go for it.