I recently did some work for a customer that had an interesting perspective on the physical security of devices. We were talking about putting some specific controls in place to hold encryption keys, and when we mentioned that we could put them on little USB sticks (not an HSM, but think like that), they said “Oh, if we do that they will disappear from the stores.”

Employee or customer theft of devices sure does not come up as something we deal with every day.

This particular company ran largely a cash-based business, and had a very small group of customers that paid by credit card. They were actually considering completely dropping all credit card acceptance because of the added risk they took on. The nature of this customer’s business includes high turnover.

When asking more about the physical security component, they built in some component of “acceptable loss” into any purchase going into their stores. For example, RAM would regularly be stolen out of PCs placed in stores. Part of their decision making process to purchasing equipment was based on how easy it was to steal, and what the replacement costs were. Meaning, they had built in an acceptable loss component into certain purchases for IT.

That was a unique perspective. For them, it is cheaper long term to just buy equipment that is hard to steal than it is to build physical security into pieces of their infrastructure.

This post originally appeared on BrandenWilliams.com.