Countermeasures begin with the basics: antivirus and antispyware software and a firewall on every endpoint computer. The next step includes products, such as those used by Pearson, that allow administrators at a central console to lock down the applications or the physical devices a user can access on his machine and monitor attempts to bypass the controls.

The most ambitious and expensive strategy, usually used by larger organizations, is a network access control system that runs on servers or on network appliances and scans network traffic for attacks that enter the network through an endpoint. Such products may require a device to have the proper security patches and updates before accessing the network, determine when and how users can access a wireless network, and control the flow of traffic across the network to limit attacks. Whatever the approach, users don't want to be hamstrung -- and IT managers don't want to be overwhelmed by the work involved in managing them.

"If you're locking those [endpoint] systems down too much, it may interfere with the users' ability to perform their jobs," says Diana Kelley, an analyst at Burton Group in Midvale, Utah. "You've got to balance how tightly you're going to lock down those systems versus what users are not going to do if you're using a solution that forbids the installation of new software."

Fingerprint readers, which replace passwords with a finger scan, can increase security without making users' lives harder. Lenovo has sold nearly a million notebooks with such scanners, says Anderson. "The technology has evolved to the point where it is becoming more viable for mainstream mobile users," says Matt Wagner, senior manager of security and wireless product marketing at Hewlett-Packard Co.

Knowing that most end users don't have the time, interest or knowledge to decide which software or devices are safe to use on their PCs, some vendors instead focus on offering systems that support companywide security policies that make those decisions for the user. That, however, can shift the work from the user to the IT manager.