This is exactly the problem: there is no single biggest threat, but a huge and ever growing variety of attacks and combination of attack methods - the so-called "Blended Threats"
What measures should a small to medium-sized company deploy in order to secure itself?
Today small and medium companies (as well as large enterprises) should consider a UTM (Unified Threat Management) appliance which combines a Firewall with gateway Content Security (URL Filter, AntiVirus, Intrusion Prevention), such as the Cyberguard SG product range. This approach offers a reasonable and homogeneous protection level combined, and is easy to deploy and manage.
What's your take on the increasing trend of companies monitoring employee activity? Does it really improve security or diminish confidence? Should there be more education instead?
Only monitoring people is like sending people only to driving classes and to tests to obtain a drivers license, but without establishing and enforcing traffic rules. Without the latter, things simply get out of control and traffic chaos would be the result. You don't want to have this happening to your company network traffic but need to balance this against the desire to keep productivity up. So you need a security policy that covers internet usage, training to ensure that employees understand and can work within the policy and a unified technological solution that enforces the policy and improve productivity.
Is instant messaging a blessing since it allows a more dynamic working environment or does it just bring forward more security problems?
Instant messaging can substantially increase productivity if used in a responsible manner. It represents another application layer protocol stream and therefore adds additional risks. However, these risks are not worse or more difficult to control than the security risks associated with Email or Web traffic. Therefore there is no reason for irrational fear.
What can we expect in the future? How do you see the most common threats evolving 2 years from now?
I see the next two years characterized by the following risks:
1) Risk of more dedicated/focussed attacks to a department or even individual in an organisation (espionage)
2) Attacks which today mainly coming from Email traffic will spread and be distributed equally over all existing and new application layer protocols (like SIP for VoIP).