One of my clients was recently hit (again) by the Conficker worm. The company's systems were all fully patched, yet the malware still managed to infiltrate hundreds of machines. It was evident that worm was able to spread rapidly via a network share vector. But the real question remains: How did the worm infiltrate the network in the first place, given that all the systems were patched?
This scenario perfectly illustrates the importance of root-cause analysis -- that is, determining how your company can be most successfully attacked by malware and malicious hackers. While there's no single, general recipe for achieving this goal -- that requires full security review of your particular environment -- you need to perform a dollar-wise risk assessment, starting with a root-cause analysis.
In the case of the Conficker infestation, the client didn't share the modality, but often the culprit is an infected USB key. A user, often an IT employee, sticks the drive into a computer, which then autoruns the worm. Voila! The root cause for hundreds of PCs infected over the network isn't network drive shares; it's an infected USB drive. Don't get me wrong: Addressing the network drive share problem is important, but addressing the first vector, the root cause, is more important.
Every company should endeavor to collect root-cause statistics and track them over time. Every time a malware program or exploit is found, investigators should document how they or the user thinks it happened. Collecting these sorts of metrics will allow you to spot emerging trends and enable you to respond more aggressively and more often to emerging modalities.
Many companies tell me that they don't have the staff to perform a complete forensic investigation on every malware infection. You don't need to be perfect, though; good enough will suffice. Many users can tell when their systems are infected. Eventually, their reports will reveal true patterns.