But those in the know say the tide may be turning. The recent Blaster virus is believed to have been on reconnaissance. The City, increasingly concerned about the resilience of its firms and institutions, is waking up to the risks of more sophisticated cyberattacks.
Too often, pain prompts action. It took the Melissa virus infection to change Microsoft's approach to security. Since then rafts of viruses should have alerted chief executive officers to the true risk and to their personal due diligence liability. It is paradoxical, then, that many IT directors still find it hard to get money for IT security.
There has been talk of security software suppliers sexing up the IT security threat. Discounted by the real experts, this is a red herring. IT security is not just a question of products, it is also about having clear security policies maintained and enforced across organisations.
These policies should be wide, embracing applications such as mobile computing, instant messaging, wireless, grid computing, peer-to-peer technology. It is up to boards to decide the level of business risk they are prepared to accept in each of these areas.
End-user education and awareness programmes, such as the Corporate IT Forum's "Think before you click" campaign then become at their most effective.
It is salutary to visit the website of Tim Berners-Lee, the inventor of the World Wide Web. He probably understands better than anyone about web-borne risk and he does not accept Microsoft Office documents or attachments sent from Microsoft Outlook.
But given our dependence on shaky infrastructures, how many firms could go that far today?
This was first published in September 2003