"I don't have to run faster than the bear," one hunter said to another after spotting the animal in the woods, "I just have to run faster than you."
Yes, I know it's an old joke that you've heard enough times that I don't really need to quote anything except the punch line. But the fact is, this old joke is also an important lesson about your physical and data security. You don't have to be perfect; you just have to be better than most others.
The idea of having security that's good enough to convince the bad guys to look elsewhere is important in terms of data security and physical security. The idea of having good security is more than just putting a lock on the door and an antivirus package on your computer. First, you need to think about the risks your organization is most likely to face, the resources you're likely to have on hand to deal with the risk and then work from there.
When I write about physical security, no doubt your thoughts immediately turn to a county office building and a conference room full of public employees celebrating a seasonal holiday in California, but in reality, this isn't the kind threat you can focus on because it is so unpredictable and so inexplicable that it is extremely hard for any organization to defend against.
Instead, you need to consider several types of threats that could impact your security on a more predictable basis, since those are far more likely than the random terrorists, despite how deadly that type of attack may be.
The threats that are more likely to affect you on a day-to-day basis are from other sources. For example, you're far more likely to be impacted by what's considered petty theft in most scenarios. This might be the thief who strolls into your conference room while everyone is on lunch break and steals their laptops.
In a retail setting, it might be low-level organized crime, such as a group of a half-dozen thugs who storm your store as a mob and steal everything in sight before running out again. Or it might be the credit card thief who enters your office through an unlocked door and takes a server while the cleaning crew is on another floor.
The challenge for your business is determining what the threats actually are. It's not a huge leap to figure out that unguarded laptops are ripe for stealing. But what about that server sitting on a table in an office or in a closet down the hall?
While you know about hackers breaking into your network from some foreign country, what about someone sitting in your reception area who has quietly plugged into an Ethernet port there? Or perhaps that person in your reception area is running a man-in-the middle attack on your WiFi router?
But the threats to your organization go beyond the obvious. Ask yourself who would benefit if your company was hampered because someone stole that server from the closet down the hall? How would you prevent a former employee from connecting to your network and downloading your trade secrets?