A customer has invested in firewalls, anti-virus software and intrusion detection systems that are all regularly monitored and updated.
It downloads patches, backs up data, trains its staff, secures its wireless networks, and never, ever writes passwords on Post-it notes (well, hardly ever). So it has got security sorted, right?
Wrong. These measures should protect against most conventional threats. But IT security never stands still. There is always a new threat.
This is bad news for users, no doubt, but good news for the security industry and the resellers who support it.
Over the past few months, security threats have changed alarmingly, exploiting new technologies and bypassing traditional defences to slip in by the back door.
Instead of using email to gain entry and working at the operating system level, attackers are increasingly turning to the web and aiming at specific applications, rendering them invisible to many firewall and anti-virus (AV) products.
"Today's users can effortlessly access the internet and internet-based applications from the workplace," says Nigel Hawthorn, marketing and channel director at proxy appliance vendor Blue Coat.
"This introduces the potential for bringing back malicious or offensive content. If left unmonitored, this could result in user productivity losses, legal liability and degradation of network availability."
One of the biggest culprits is instant messaging (IM). Businesses see IM in the same way they saw email a few years ago: a cheap, efficient communications medium allowing users to get responses in real time.
Unfortunately, it suffers from exactly the same potential hazards as email, without being protected by conventional email security.
Being client-server-based and routed through public networks, IM bypasses conventional security at the network gateway and on the desktop, such as firewalls and AV, and some systems are programmed to find alternative ways into the network if the expected port is blocked or secured.
IM is therefore open to viruses and other malware. There are no checks on what files or data are imported or exported, so companies cannot tell if staff are sending out secrets or receiving copyright-infringing material.
Nor is it possible to establish an audit trail or retain messages on file for legal reasons, since nobody in authority even knows they exist.
And online chit-chat can be as time-wasting as the face-to-face variety, leading to a 'virtual water cooler syndrome'.
Usage is mushrooming. IDC predicts that in 2004 the number of IM users will exceed 205 million - about a quarter of which are in the workplace.
Gartner says about 70 per cent of enterprises are encountering unsanctioned consumer IM on their networks. And a survey by Blue Coat found that two-thirds of staff are using IM for personal use and spending an average of 30 minutes a day chatting.
AV vendor Sophos reports a rise in the number of worms spread via IM. Meanwhile, IM spam is now so prevalent - volumes will treble this year to four billion messages, predicts Ferris Research - that it even has its own name: spim.
IM needs to be controlled rather than banned, argues Mukesh Gupta, managing director of security distributor e92plus.
"Companies need to tighten up their policies relating to its use in the same way they're starting to with email and internet access," he says.
"IM has some clear business advantages, and simply banning it isn't the answer. It is better to have the right controls in place, just like we do for email and phone calls.
"Proper authentication, access control and AV protection are the chief concerns."
Tools to control IM are beginning to appear. AV vendors such as Symantec are creating plug-ins for IM clients. FaceTime's IM Director performs content filtering and challenge-response to catch spim, while proxy appliances such as Blue Coat's can control internet-based user communications and peer-to-peer (P2P) traffic.
Often spoken of in the same breath as IM, P2P file sharing is another useful technology that has got out of hand, and it exhibits many of the same characteristics and risks as IM, except that it is harder to see any potential benefits for businesses.
P2P allows users to directly access and download files on another user's computer. Napster was probably the best-known example, but other popular applications include Kazaa and Morpheus.
With its ability to bypass security devices such as firewalls, P2P is a perfect back door for viruses, worms and other nasties, with some, such as MyDoom, being specifically designed to infect shared files.
As with IM, users may also be breaching copyright, or downloading pornography or other banned material. And since P2P effectively 'advertises' what is on the user's computer, there are considerable risks to confidentiality of information and protection of personal data.
Waste is also a significant problem, not just of users' time as they download the latest movie or album, but of the organisation's bandwidth and disk capacity.
"P2P is incredibly bandwidth hungry," says Ian Kilpatrick, chairman of e-security distributor Wick Hill. "A demonstration of Allot Netenforcer with a reseller at one site revealed that one individual was monopolising over 80 per cent of the organisation's bandwidth, to the detriment of many thousands of other users.
"While the percentage was extreme, this wasn't an isolated example."
In Blue Coat's survey, 42 per cent of staff said they used P2P sites at work, and 60 per cent said they weren't bothered about infringing copyright on music and videos. WebSense, the employee internet management vendor, lists more than 6.2 million P2P web sites in its URL database.
P2P is a favoured method of introducing other nightmares to the IT manager: adware and spyware. These are applications which users have inadvertently downloaded onto their machines, for example by accepting some terms and conditions from a dodgy web site or P2P link without reading them.
The software may then track the user's movements on the web, bombard them with targeted advertising, harvest email addresses for spamming, or even capture their keystrokes as they type, or switch on the PC's microphone and eavesdrop on conversations.
Few IT managers realise the extent of the problem. "One major insurance customer of ours was convinced that its network was clean and that it was safe from some of the internet's hidden threats," says Frank Coggrave, UK regional director of WebSense.
"We ran our Client Policy Manager over the company's network and found 800,000 instances of spyware over a four-day period."
To date, spyware has remained a potential rather than an actual threat. But the effect of a technology that can read everything a user types or hears every word they say is potentially devastating.
As with other emerging threats, AV software and firewalls are often powerless against spyware.
"Effective security against spyware needs to be multi-layered to protect all points of access, at the desktop, server, firewall and, crucially, at the email gateway and HTTP proxy," says Pete Simpson, threat lab manager at email and web security vendor Clearswift.
"Content filtering is one of the most effective solutions, offering multi-layered protection and adapting to evolving threats and the changing corporate environment."
Users who bypass their employers' conventional security defences by, for example, visiting dodgy web sites, risk picking up malicious mobile code (MMC).
This is a fancy name for viruses, worms and trojans often contained in rogue Java, ActiveX or VBS code, such as the Nimda and Witty worms, which can download themselves from machine to machine without the user's permission or even knowledge.
Vendors of proactive security software, such as Finjan, argue that conventional reactive AV solutions are just too slow to react to MMC.
A rather different kind of threat, but one with potentially damaging consequences, is phishing. This uses 'conventional' malware techniques, usually spam, to try to kid unsuspecting individuals into parting with confidential information or visiting bogus web sites - or both.
"A good example was the PayPal attack in 2000, when a fraudulent email directed victims to www.paypa1.com," says Wayne Carter, regional channel director at intrusion prevention vendor McAfee, formerly Network Associates.
"The figure '1' had been substituted for the lower case 'L' in the company name, and in a browser they looked almost identical."
Most customers, when they receive an email requesting them to go online and divulge all their passwords and security information for a 'housekeeping exercise', smell a rat.
But there are enough naive people out there to create serious problems for the banks, building societies, auction sites, airlines, courier firms, ISPs, online retailers and other businesses that have been targeted by the phishers.
Once they have fielded numerous support calls, remunerated the victims, and even in some cases closed their web sites for a while, the companies involved can be left seriously out of pocket.
And the problem is spiralling. "The number of phishing attacks we've seen worldwide has increased from 300 million in August 2003 to over 2.9 billion in March 2004," says Mark Bruno, enterprise product manager at anti-spam vendor Brightmail, which was recently bought by Symantec.
"That represents about five per cent of all internet email worldwide. A single attack can consist of several million emails."
Phishing presents a real dilemma for businesses because they are used to protecting their staff's security but not that of their customers.
Part of the solution is educating customers not to fall for scams. But vendors such as Brightmail and MessageLabs offer services that monitor internet email and notify businesses as soon as phishing spam starts to circulate.
Phishing is just one way of stealing data in order to impersonate someone else, otherwise called identity theft. Thieves may also get hold of passwords, building access codes, or even personal data obtained online or through 'bin diving' (sifting through dustbins).
"The organisations most at risk are those that are 'opening up' their networks to access by staff needing remote access from home, client sites, and to clients and trading partners via extranets and web portals," says John Stewart, chief executive of Signify, a managed service provider focusing on corporate ID theft.
"If the credentials they use when they log in, such as passwords, are easily guessed, snooped or stolen, then their identity is seriously at risk of being misused.
"Authentication technology - tokens, smartcards, USB devices, biometrics - can't on its own deliver secure identity management. It takes a framework of policies, procedures, logistics and end-user support to back up the technology and deliver complete security."
As well as the risks inherent in new technologies, businesses may also find themselves facing escalating implementations of more conventional threats, such as the growing tendency to use denial-of- service attacks to blackmail online trading companies such as banks, ISPs and online gambling and gaming web sites, by threatening to crash their networks.
Intrusion prevention systems (IPS) are the answer, their vendors claim.
All of these new threats give the reseller's salesforce plenty of targets to aim at, and they may need to persuade customers to invest differently in future.
"Organisations have typically spent much the greater part of their IT security budget on improving protection for the email gateway, with relatively little on securing the web gateway," says Nick Sears, European vice-president of sales at Finjan.
"This must change as web-based security threats are set to increase significantly."
But businesses that have already shelled out for firewalls, AV, patch management, intrusion-detection systems and other 'basic' security tools are often reluctant to open their chequebooks yet again to protect their businesses against what they may perceive to be nebulous, unproven or plain incredible threats.
Coggrave advises starting at the top.
"Resellers have to fight hard to make security relevant to the board," he says. "The culture of business today is all about mitigating risks, so by demonstrating what could happen if the right policies aren't in place, resellers can attract their attention.
"What chief executive could ignore the fact that his network could be infected with spyware programmes that are capable of tracking personal keystrokes?"
Resellers are having to evolve almost as fast as the security threats they are trying to counter, as established technologies such as AV become commoditised and they seek more lucrative added value. Margins on products which stop emerging threats can be as high as 30 per cent, vendors say, with added-value services on top.
Kevin Chapman, channel sales director at Symantec, says: "In a rapidly changing marketplace, resellers can't approach a security opportunity with a product and a discount any more.
"They have to help customers understand how they should be implementing and managing their security policy, and develop long-term, value-added relationships with them."
Forming a security policy and disseminating it to staff is one of the most taxing tasks, but it is also one of the most necessary.
According to the Department of Trade and Industry's latest Information Security Breaches Survey, published in April, two-thirds of small businesses and more than half of medium-sized firms do not even have a formal security policy, so resellers may need to take the lead.
Staff can hardly be blamed for using P2P or misusing IM if nobody has told them it's forbidden, or for picking up spyware from dubious web sites or risking ID theft if they don't know the risks.
The best news for resellers is that security is not a single event but a journey, and one where the meter is always running. "What was accepted as good security 12 months ago will seem inadequate with the advance of technology, in terms of both threats and mitigation," says Paul Lawrence, EMEA general manager of IPS vendor Top Layer Networks.
"Providing advice and outlining an upgrade strategy to provide security solutions that represent best practice at that time will provide a consistent revenue stream for resellers."
Blue Coat (01276) 854 111
Brightmail (01293) 763 028
Clearswift (0118) 903 8903
e92plus (0870) 200 9292
Finjan (01344) 427 127
Signify (01223) 472 572
Symantec (01628) 592 222
Top Layer Networks (01483) 243 549
Unipalm (01638) 596 600
WebSense (01932) 796 001
Wick Hill (01483) 227 600
CRN's Nima Green caught up with Chris Labrey for a quick Q&A at CRN's recent European Channel Leadership Forum
We caught up with the Atea chief exec at CRN's European Channel Leadership Forum in London
Andy Gillett has been appointed GM for the UK and Ireland
UK is one of two countries to see rollout of vendor's newest subscription service