Surprisingly, many organizations do not consider physical security to be of the utmost concern. As an example, one New York investment house was spending tens of thousands of dollars on computer security measures to prevent break-ins during the day, only to discover that its cleaning staff was propping open the doors to the computer room at night while the floor was being mopped. A magazine in San Francisco had more than $100,000 worth of computers stolen over a holiday. An employee had used an electronic key card to unlock the building and disarm the alarm system; after getting inside, the person went to the supply closet where the alarm system was located and removed the paper log from the alarm system’s printer.

Other organizations feel that physical security is simply too complicated or too difficult to handle properly. No amount of physical security on the part of the tenants of the World Trade Center could have protected them from the collapse of their office buildings after the terrorist attack of September 11, 2001. Likewise, few organizations have the ability to protect their servers from a nuclear attack. But it is important not to let these catastrophic possibilities paralyze and prevent an organization from doing careful disaster planning. Those organizations that did the best job of restoring operations after September 11 were the ones that had spent the money to build and maintain redundant off-site mirror facilities.

Physical security ...