Move servers to a physically secure location if they already aren't there.
Change the combination lock on your computer room door and give that combination only to those who need to know. If it's a regular tumbler lock, replace it with a combination lock.
Review the audit logs of who's entering your computer room. If you aren't auditing entry, start doing so.
Update your policy that describes how employees should handle sensitive informationwhere it is stored, how it can be transmitted, and so on.
Check public computers for keystroke loggers; consider encasing them in lockable containers that prohibit access to the keyboard port.
Educate users about EFS and plan for deployment on laptops.