So you think you do a good job with security. You spend precious time every week/month making sure that you download all the latest updates and patches for desktops, databases, and web servers. You encrypt customer information before you back it up and store it offsite in a guarded facility. You are the most paranoid programmer around, validating all form input, and detecting scripting attacks on the fly. Then you walk down the hall and see four boxes of chock full of customer data sitting outside the backdoor of your office. None of it is encrypted, none of it is guarded. It's just sitting there out in the open.

This photo was taken in the office building I work in every day. Those boxes have been sitting in a hallway outside of the back door of a mortgage banking company for the past THREE DAYS!!!!

You might also notice that the door is propped slightly open by a deadbolt that's extended. This door has been propped open in this way every day since I've worked in this building.

You are only as secure as your weakest point, and that point isn't always on the network.

Although many of these security issues are created by a Space Cadet in an Administrative Assistant's shoes, it's also common for software developers to focus on application security while neglecting physical security. While a developer may remember to lock her workstation every time she walks away from it, what about that debugging output sitting on her desk? Is there customer information on it? Did she leave it out on top of her desk at the end of the day when she went home? Should it be thrown away? Should it be shredded? Maybe it should be locked inside the desk. It's always a good idea to think about the physical security of data and not just the electronic security of it. Not enough of us do.