I'm glad to see that a recent trend is to look just as closely at physical security at data security. It may be a no-brainer to most but I hate to see data centers wide open, laptops sitting all alone, and workstations up and running in an empty office.
A good way to look at this is to understand that by securing physical equipment, you are not only protecting against data theft but equipment theft as well. Believe it or not, a huge amount of critical data is lost through equipment theft. The thief could care less about what's on the computer - they just want the system itself. So - by taking physical security seriously, you're killing two birds with one stone.
Laptop protection:
Lifehacker is running a post now based on a PC World story on laptop theft. Some of the key points I'm always reminding people of are:
1. Go ahead and install something like TrueCrypt to easily mount and dismount a volume to store sensitive data.
2. Laptop bags are to thieves like honey is to a bear. They can smell one a mile away. Keep yours with you or locked up all the times (i.e. put the damn thing in your trunk when you're at lunch instead of on your front seat).
3. If you're using a shared workspace in a library or similar setting - be the geek that uses a physical locking cable. They work. They may be easy to cut but keep in mind that you're only using it in public areas that it would be much more obvious for a thief to cut a cable than grab your computer.
4. Consider some kind of lo-jack type software that will let you find it if it's connected to a network.
Data Centers:
I'm working on a few data centers now. If the resources put into HVAC systems, power conditioning and back up were put into security than there would rarely be issues. Think about it, you've already made the decision to invest in protection of your data against overheating servers, power spikes or outages (I hope)- why not protect it against the part time worker who wants an easy cash for a server? Are all your code monkeys perfectly content at work? None of them would love to stick it to the man? Any one of them could do untold damage to your systems and be much less detectable or traceable by physically accessing it from the data center instead of over the network. (no offense to code monkeys in general, I love you personally) Then tack on all the risks associated with people wandering into the data centers looking for a place to hide out on break etc.. etc..
When it comes to data centers - card readers on the doors are not enough. You need to record all entry and exits as well as make sure someone knows if there is activity inside. People "piggyback" behind each other with card readers so you have to either install anti-piggybacking components (link is just one example) or enforce anti-passback.
There's a lot more to data center security than can be summed up here - so maybe I'll write a more comprehensive post in the near future.
On one hand, it's much more "low impact" for someone with nefarious intentions to get into your system remotely over a network connection or some other way. But at the end of the day:
Value of your information + amount of desire the threat has for your information = the lengths they will go and the exposure they will risk to get it.
Even though most of the people who commit information theft don't consider the information worth their jobs or freedom, there are many situations where it's not that risky for them to commit the crime because of the low risk they will get caught. In cases like that, where it's technically easier for them to get the data physically through your system or a server - you can bet how they will do it.
