Setting and enforcing security policies is a big step toward protecting enterprises from the inside threat. Another is adding better real-time protection to every device--desktop computers, notebooks, and handhelds--that connects to the corporate network. Security vendors also say they're developing better tools to build and enforce end-point security policies, and they're also enhancing end-point firewalls to protect devices in the hands of employees.

One of the biggest threats today is the unprotected notebook of the trusted employee or even a visiting consultant. "The week Slammer hit, we had a consultant log on to our network, and it went crazy with traffic," says the chief information security officer at a consumer-goods manufacturer. "He was running an application that got infected, and he didn't know it. If we hadn't had our networks segmented, it would have been much more serious than it was."

It's a growing problem, says John De Santis, CEO and president of end-point security vendor Sygate Technologies Inc. More workers visit places such as Internet cafes to check their E-mail or read news updates, and some unwittingly find themselves infected with keystroke loggers, worms, or Trojan horses. When they later connect to office networks, they can infect other systems, have their passwords stolen, or have every keystroke captured and sent to an attacker or a nosy hacker.

One popular way to combat those threats is to install a personal, or client, firewall. Annual sales of end-point security products are expected to soar from $140 million last year to $556 million by 2008, says research firm Frost & Sullivan, as enhanced products are delivered by vendors such as InfoExpress, Internet Security Systems, Sygate, Symantec, and Zone Labs.

"Companies will be adding these across their desktops," says Frost & Sullivan analyst Jason Wright. "It's not just for mobile devices. They're looking to add another layer to their defense. End-point security applications add a defense that can understand what's going on on individual systems."

That's important because "there isn't an inside or an outside anymore," Sygate's De Santis says. At many companies, 25% to 30% of users are logging on to the network with notebook computers.

In many cases, users are simply unaware their actions can create severe security risks. Most don't know that turning off their antivirus or client firewall software to access Web sites creates risks to the security of corporate networks and business information. They don't realize that reinstalling an old version of a Web browser without updating the patches creates a security risk. And many aren't aware that setting up a wireless access point in their home offices could open enough of a security hole for a determined attacker to sneak into the corporate network.

Ken Tyminski, Prudential Financial Inc.'s chief information security officer, understands the problem. The financial-services company, with $26.7 billion in annual sales, got hit in September 2001 when the Nimda worm swarmed the Internet. Prudential Financial installed Sygate's security software after investigating ways to combat viruses and blended threats, and its perimeter defenses held the worm at bay. But a remote user got infected and managed to infect other systems after connecting to the network through Prudential's VPN. "Our damage was minimal," Tyminski says. "But these blended threats change everything." Blended threats, which are viruses or worms that exploit several software vulnerabilities to infect systems, increase the need to lock down all devices that connect to the network, he says.

Prudential Financial uses Sygate software to ensure that antivirus signatures, which are used to recognize attacks on systems, are kept up to date, and the company is considering deploying the software on internal desktops as well. "There's a big debate raging about this," Tyminski says. "We have antivirus software on every desktop, but how do we know they're always up to date and enforce that?" Security vendors need to offer better products for end-point devices. "The game is changing," he adds. "You have to bring better control to the end points."