Many years ago, a friend of mine was involved in security auditing and awareness testing.
During one assessment, he used a very simple exercise. Since he had legitimate access to the client’s facilities, he left several USB drives in different areas of the office. Some were placed on desks, others in common areas. Each one had a harmless handwritten label, something like “Holiday Photos” or “Travel Pictures”.
There was no malware and no intention to cause damage. The objective was simply to understand how people would behave when faced with something familiar, small and apparently insignificant.
The result was quite revealing. Several employees plugged the devices into corporate systems, and each time that happened, my friend’s team received a notification confirming that the USB had been connected.
What stayed with me from that story was not the USB itself. It was the decision behind it. A person saw an unknown device, became curious, trusted the environment around them and connected it to a work system without considering the potential consequences.
I think this lesson is especially relevant for data centres.
These environments are built around resilience, redundancy, access control, monitoring, compliance and technical sophistication. The level of investment is enormous, and rightly so. But as facilities become larger, more complex and more dependent on multiple teams, contractors, vendors and visitors, the human layer becomes harder to control.
A data centre is not only protected by walls, cameras, barriers and procedures. It is also protected by the daily judgement of the people who work inside it.
A door held open for convenience, a badge used too casually, an unfamiliar person not challenged, a device connected out of curiosity. None of these actions may look dramatic in isolation, but each one can create a gap between the security architecture on paper and the security reality on the floor.
That is why physical security awareness should not be treated as a secondary activity or a compliance formality. In critical environments, training is part of the protective architecture.
The objective is not to make every employee a security expert. The objective is to make security-conscious behaviour normal, practical and repeatable.
Because the strongest security environments are not only those with the best controls. They are those where people understand why the controls exist, how their actions affect the wider system, and when a small decision can become a serious vulnerability.
The USB was never the real vulnerability. Human behaviour was.
