I used to work closely with a security expert who installed an intrusion-detection system. Once it was in place, I was amazed how many attacks we faced, and how some were successful. It was the only way we got to know that they were successful too. It completely changed my way of thinking about security.

A lot of attacks seem to merely probes to determine weaknesses. Others, if successful, take effective control of the server, but in a way that is generally undetected, and this is only used later. Very few successful attacks result in your customer database being offered on a Russian website. You probably don't know when your network is successfully compromised.

You have to know about as many attempts at intrusion as possible and your applications and database need to be instrumented well enough to alert you to any possible intrusion. If you don't, then it is like having a castle or fort without any guards.

Database Security is a boring topic. Security presentations at PASS or SQL Saturday seldom run to packed houses, but it is one of the most important areas of knowledge that a developer and DBA can possess. I recommend Denny Cherry's book as a really good introduction to SQL Server security

My worst experience? When an employee with a crazy grudge (an affair with another employee) sold his SQL Server login to some bandits when he left the company. I should have changed it before, I know, but security isn't an exciting topic until you get hit.