We are an online business.
We have a very powerful server with hard disk mirroring in our office that we are using for a variety of internal business-critical functions.
We want to keep that machine in our office but we want to make sure it is as secure as possible (within reason).
Obviously we are already backing it up everyday off-site.
My question is more about not-too-expensive physical measures to protect the machine against thieves and disasters such as fire.
What would you suggest?
Normal Security:
1. Out of sight, out of mind - Put the servers where they can't be seen by anyone but IT.
2. Locks - Locks keep almost everyone out.
3. Alarm - Alarms are for the people that locks don't keep out.
4. Cameras - For keeping a record of who/what happened. Some of these can be very cost effective and another deterrent.
Fire:
1. Less Flammable - Keep as little flammable material around your servers as possible. Steel enclosures help a bit; especially if they have self contained cooling and do not draw in outside air.
2. Basic Suppression - Sprinklers are good enough unless you need a very high SLA. Keeping your equipment in air-recirculating enclosures will protect them from the water (for the most part, not totally obviously).
3. Advanced Suppression - Halon and other non conductive systems can be installed for data centers; but are frequently deadly to humans, so special considerations must be taken for them. They're also very expensive.
In any case you should not be looking for "cheap" solutions; you should put some though into how likely these things are, multiply by how much the downtime would cost, and create an appropriate budget for disaster planning. From there find efficient solutions. Some of these are good practices anyway, like the air-recirc enclosures. They provide organization, theft & access security, a small degree of fire protection, and help defend against sprinklers/fire suppression.
To my knowledge, any fire-related protection will be fairly expensive. Beyond attaching your UPS's emergency power-off (EPO) functionality to your building's fire suppression system such that the EPO is tripped when the fire suppression system kicks in, I don't think there's much more you can do in a small office for reasonable money.
Protecting against theft to any great degree is also going to be expensive. Hopefully your server is covered by the physical security mechanisms already in your building-- alarm, cameras, motion detectors, locked doors, etc. To secure the box itself I've used padlock hasps or Kensington lock attachment points that some server computers come equpped with to secure them from being opened and moved using steel cables (basically, glorified bicycle locks). If your server is in a rack cabinet you can use the built-in locks, but beware that many manufacturers (I'm looking at you, Dell, especially) use the same key set for nearly all of their cabinets. (I love unlocking the racks at sites I've never been in before with the one of the variety of rack keys I carry...)
Hedging your bets against theft using off-site backup and full disk encryption, along with insurance for the physical hardware, are your best bets. You're certainly already on the right track w/ your use of off-site backup.