The attack found entry through a couple of old vulnerabilities, one of them a Windows hole that's been known and patchable since September, 2006. Another entry-point was a RealPlayer vulnerability from a few months ago, also fixable with a patch. (Look here for news of a newer RealPlayer flaw.)
And therein lies the lesson -- whether your small or midsize business manages its own Web site and pages or hires their management out, insistence upon the strictest adherence to patch policies and their implementation is as essential to your business security as antivirus, firewall and other updates.
No way around this -- because the hackers clearly know their way around this.