What can you afford NOT to do on IT security?