A customer has invested in firewalls, anti-virus software and intrusion detection systems that are all regularly monitored and updated.

It downloads patches, backs up data, trains its staff, secures its wireless networks, and never, ever writes passwords on Post-it notes (well, hardly ever). So it has got security sorted, right?

Wrong. These measures should protect against most conventional threats. But IT security never stands still. There is always a new threat.

This is bad news for users, no doubt, but good news for the security industry and the resellers who support it.

Over the past few months, security threats have changed alarmingly, exploiting new technologies and bypassing traditional defences to slip in by the back door.

Instead of using email to gain entry and working at the operating system level, attackers are increasingly turning to the web and aiming at specific applications, rendering them invisible to many firewall and anti-virus (AV) products.

"Today's users can effortlessly access the internet and internet-based applications from the workplace," says Nigel Hawthorn, marketing and channel director at proxy appliance vendor Blue Coat.

"This introduces the potential for bringing back malicious or offensive content. If left unmonitored, this could result in user productivity losses, legal liability and degradation of network availability."

One of the biggest culprits is instant messaging (IM). Businesses see IM in the same way they saw email a few years ago: a cheap, efficient communications medium allowing users to get responses in real time.

Unfortunately, it suffers from exactly the same potential hazards as email, without being protected by conventional email security.

Being client-server-based and routed through public networks, IM bypasses conventional security at the network gateway and on the desktop, such as firewalls and AV, and some systems are programmed to find alternative ways into the network if the expected port is blocked or secured.

IM is therefore open to viruses and other malware. There are no checks on what files or data are imported or exported, so companies cannot tell if staff are sending out secrets or receiving copyright-infringing material.

Nor is it possible to establish an audit trail or retain messages on file for legal reasons, since nobody in authority even knows they exist.

And online chit-chat can be as time-wasting as the face-to-face variety, leading to a 'virtual water cooler syndrome'.

Usage is mushrooming. IDC predicts that in 2004 the number of IM users will exceed 205 million - about a quarter of which are in the workplace.

Gartner says about 70 per cent of enterprises are encountering unsanctioned consumer IM on their networks. And a survey by Blue Coat found that two-thirds of staff are using IM for personal use and spending an average of 30 minutes a day chatting.

AV vendor Sophos reports a rise in the number of worms spread via IM. Meanwhile, IM spam is now so prevalent - volumes will treble this year to four billion messages, predicts Ferris Research - that it even has its own name: spim.

IM needs to be controlled rather than banned, argues Mukesh Gupta, managing director of security distributor e92plus.

"Companies need to tighten up their policies relating to its use in the same way they're starting to with email and internet access," he says.

"IM has some clear business advantages, and simply banning it isn't the answer. It is better to have the right controls in place, just like we do for email and phone calls.

"Proper authentication, access control and AV protection are the chief concerns."

Tools to control IM are beginning to appear. AV vendors such as Symantec are creating plug-ins for IM clients. FaceTime's IM Director performs content filtering and challenge-response to catch spim, while proxy appliances such as Blue Coat's can control internet-based user communications and peer-to-peer (P2P) traffic.

Often spoken of in the same breath as IM, P2P file sharing is another useful technology that has got out of hand, and it exhibits many of the same characteristics and risks as IM, except that it is harder to see any potential benefits for businesses.

P2P allows users to directly access and download files on another user's computer. Napster was probably the best-known example, but other popular applications include Kazaa and Morpheus.

With its ability to bypass security devices such as firewalls, P2P is a perfect back door for viruses, worms and other nasties, with some, such as MyDoom, being specifically designed to infect shared files.

As with IM, users may also be breaching copyright, or downloading pornography or other banned material. And since P2P effectively 'advertises' what is on the user's computer, there are considerable risks to confidentiality of information and protection of personal data.

Waste is also a significant problem, not just of users' time as they download the latest movie or album, but of the organisation's bandwidth and disk capacity.

"P2P is incredibly bandwidth hungry," says Ian Kilpatrick, chairman of e-security distributor Wick Hill. "A demonstration of Allot Netenforcer with a reseller at one site revealed that one individual was monopolising over 80 per cent of the organisation's bandwidth, to the detriment of many thousands of other users.

"While the percentage was extreme, this wasn't an isolated example."

In Blue Coat's survey, 42 per cent of staff said they used P2P sites at work, and 60 per cent said they weren't bothered about infringing copyright on music and videos. WebSense, the employee internet management vendor, lists more than 6.2 million P2P web sites in its URL database.