These 'ways in' turn out to include partners, associates and third-parties, many of whom have remote access rights to larger enterprises without themselves having good security. Symantec reckons that two of the most targeted professions include personal assistants and PR people, two groups seen as easy-to-penetrate stepping stones to more valuable targets.
Given the number of attacks on the media by groups such as the Syrian Electronic Army, one could also add journalists to that list even if those are motivated more by ideology than data. The figures for 2014 will be interesting. Was last year an anomaly or a marker for what is now inevitable?