One result is that e-mail viruses are becoming less effective. "From January 2006 to January 2007, the rate of infected e-mails fell from about one in 40 to one in 330," says Ron O'Brien, a senior security analyst at security software maker Sophos. "As a vector for infection, e-mail has declined."

"In the past," Piwonka says, "the greatest threats were from outside, through the Internet or e-mail. Now you've got hackers and malicious intent of people trying to gain access to organizations in other ways. They are looking at 'where are the other points of vulnerability for our systems and data?'"

"The average user has become educated enough not to click on an attachment in unsolicited e-mail. So malware writers have shifted means of distributing viruses, Trojans and worms," O'Brien says. Much of that activity has focused on steering people to infected Web sites, but a growing percentage involves other kinds of threats, such as phishing. According to Kaspersky Labs' Viruslist.com, as of January 2007, phishing attacks were more common than viruses in e-mail messages.

However, an increasing number of attacks are attempting to bypass the firewall and antivirus programs by coming at the corporation from unsecured angles. While external threats are as virulent as ever and need to be guarded against with firewalls and other defences, it is more important to pay attention to internal weaknesses.

"The fact there are now so many pluggable devices absolutely creates new areas of exposure," says Piwonka.