The successful spread of virtually every macro or script-based virus hinges on the user performing a "trigger" event to bootstrap it into action. But educating users on how viruses work, the danger they pose, and what not to do isn't enough to change their e-mail habits.

Experts stress attempting to modify user behavior to thwart viral infections is a fool's game. Mike Serbinis, chief security officer for Critical Path (Web site), an outsourced e-mail service provider, says IT managers often blame end users for proliferating viruses. "This is the wrong way to look at the problem," he says. "Viruses should be stopped at the server and service levels before they ever reach the end user."

Roger Grimes, vice president of IT for MRD Technologies and author of the forthcoming book Malicious Mobile Code: Protecting Your Windows System (O'Reilly & Associates), concurs. "From a sysadmin level you can't assume end-user education will ever work," he says. "You have to prevent virus codes from getting to that stage."

Experts recommend a layered defense of protective systems at key focal points: a carefully tuned firewall at your company's Inter net gateway, an antiviral filtering and quarantining proxy attached to your mail server, and antivirus software on each desktop.

Together, this defensive troika can spare your company from a majority of viral scourges. And when teamed with the services we discuss here, you can rest assured your antivirus signature databases are being updated every 5 minutes around the clock.

Surprisingly, the worst offenders in a company are those in upper management. Although companies generally have security and virus policies in place and antivirus products installed, neither is updated frequently enough, and time and again new infections or breaches in security occur because those in upper management believe the rules don't apply to them. Stephen Cobb, director of research and education for information-security solutions provider Rainbow Technologies' Spectria division (Web site), points to last year's suspension of CIA director John Deutch for storing classified files on his unsecured home PC. "If you can't trust the director of the CIA to follow existing security directives, can you trust the average corporate manager?"

If those at the top follow the rules, and make it clear that others should do so as well or suffer the consequences, you'll see a lasting shift in mentality from one where security is someone else's business to one where users view security proactively.