It's definitely not paranoia when we can all pull out log files full of people out to get us.
Every day, in mail logs, web logs, FTP logs - in fact everything that listens to incoming connections, you can see the background level of malicious connection attempts. Most are at the silly script-kiddy level, but you'll probably get at least one serious attempt a day, from somewhere.
One of our Directors overheard a colleague and I discussing one such script kiddy attempt - we were taking the piss out of the fact he was trying to find aspx files on a Linux PHP server - and the Director was horrified, asking why we weren't doing something about it.
He had no understanding of just how many attacks go on, day in and day out, and yet he's the one who normally queries why we need to invest in expensive firewalls, IDP / IDS systems, etc.
As an SME Admin, I do my best to maintain a robust and secure environment, but I'm well aware that at some point, we are going to get pwned.
We've had one incident, where a junior developer put up a web form without sanitizing inputs, and it only took a day before someone had successfully re-written the content of the site's CMS.
In another incident the Web team wrote a comments page without a capcha on it, which allowed anyone to type in an email address, and some text (not checked) and press send, and it would email the address given - an automatic spam machine, which was discovered by a bot within hours.
All you can do is try, with the resources available, to keep on top of things, and accept that despite all your best efforts, you are going to be hacked at some point, and if they're good at it, you may not even realise it.