Security personnel should keep three things in mind: 1) Purveyors of malware are smart, 2) crooks are not afraid to change with the times, and 3) statistics often lie.
This Network World story says that malware makers are personalizing attacks by harvesting readily available information from their victims. These "intelligent attacks" recognize the type of browser the target is using, the language of the request, the IP address of the victim's machine and other factors that can help their attacks succeed.
In a related trend, phishing attacks are growing more specialized. For instance, hackers increasingly eschew the age-old (in terms of the Internet, at any rate) tactic of sending phishing e-mail indiscriminately to millions of accounts. "Spear phishing" attacks instead focus on finding targets who may actually have a reason to expect mail from the organization the crook is masquerading as. Image spam -- evading filters by hiding spam in JPEG, GIF or other picture files -- also is getting more sophisticated.
That brings up a related point: Don't trust raw numbers, which are more valuable in an era of massive but unsophisticated attacks. The more efficient use of browser-provided data, the better targeting of phishing attempts, and other innovations are designed to increase the success of exploits while reducing total numbers. Vendors may legitimately claim that their products are throttling higher numbers of botnet attacks, spam and other Web illnesses. However, the true test is how they do against the more sophisticated exploits.
Put another way, purveyors of spam and the phishing attacks they often contain are moving from quantitative to qualitative attacks. The bottom line for organizations is to take vendors' claims that they prevent a certain percentage of problems seriously, but with a grain of salt. It is only within a fuller context that a CSO can determine how much importance to assign to these seemingly impressive numbers.