Before investing in defences, many organisations often want concrete evidence that they are, or will be targeted, by specific threats. Unfortunately, in cyberspace it is often difficult to provide an accurate assessment of the threats that specific organisations face.
However, every organisation is a potential target to cyber criminals, hacktivists or other nefarious groups. All organisations have something of value that is worth something to others. If you openly demonstrate weaknesses in your approach to cyber security by failing to do the basics, you will experience some form of cyber attack.
As part of your risk management processes, you should be assessing whether you are likely to be the victim of a targeted or un-targeted attack; every organisation connected to the Internet should assume they will be a victim of the latter.
Either way, you should implement basic security controls consistently across your organisation, and where you may be specifically targeted, ensure you have a more in-depth, holistic approach to cyber security.