“All it took was a wooden stick.” This shocking statement comes from a real security incident: Three people in normal work clothes used a wooden stick to break into a secure data center—and gained access in less than 20 minutes. The intruders picked up a wooden stick from the sidewalk, stuck it through the gate of the underground parking garage, and used it to press an accessible button on the other side of the gate. The intruders gained access to the IT systems there and compromised the data center’s access software.
This incident clearly shows that digital and physical security have long been interconnected — and that vulnerabilities can be surprisingly simple.
Facility management: A core task for management—not the IT department
Modern building automation, smart metering, cloud connections, and networked access and security systems bring efficiency — but also significant risks.
In the field of technical building management, the German Federal Office for Information Security (BSI) has identified typical vulnerabilities such as a lack of planning principles, inadequate documentation, deficient role and authorization concepts, and poor monitoring in its survey on the risk situation in technical building management (TGM).
For you as management, this means that cybersecurity is no longer just an IT issue, but a strategic management task — especially in construction and operational processes.
For you as management, this means that cybersecurity is no longer just an IT issue, but a strategic management task — especially in construction and operational processes.
Risks with real dimensions
- According to a study by Bitkom, 81% of companies in Germany were victims of data or IT attacks or sabotage within a year.
- The economic damage amounted to around € 267 billion in the period under review.
- Globally, it is predicted that cybercrime costs could reach approximately € 10.5 trillion by 2025.
- Current studies also show that 83 % of companies in Germany have already suffered data loss or relevant damage.
These figures point out: It is not a question of “if,” but “when” and “how severe” an attack will be.
Exercises for the future
1. Embedding cybersecurity as a key strategic priority
Your responsibility doesn’t end with the IT department. As a manager, you need to make sure that cyber-secure processes are planned, implemented, and monitored in all areas—especially facility and building infrastructure.
2. Use common standards and norms
Guidelines and standards such as ISO 27001, IEC 62443, and the BSI IT-Grundschutz Kompendium provide a proven framework. They provide assistance in systematically implementing security precautions, particularly in tenders, construction, and operational concepts.
3. Establish transparent roles, procedures, and documentation
Who will document which systems? Who will have control? Who oversees the interfaces between facility management and IT? Early stage planning, well-documented processes, and explicit responsibilities are essential.
4. Protecting people, technology, and processes together
Technology on its own is not sufficient. Training, Penetration testing, and regular risk assessments are also essential—as is awareness that vulnerabilities are often trivial (e.g., a wooden stick). At the same time, it is evident that companies with shadow IT often take considerable risks because uncontrolled systems are used.
Conclusion: Act now — before others do
The breach described at the beginning shows that a small physical vulnerability—combined with digital misconfiguration—is all it takes to compromise a highly secure data center. For you as management, this signifies that cybersecurity is not an additional duty, but rather a fundamental management and design responsibility.
Your buildings, facilities, and processes are part of your value chain. If they are compromised, there is not only a threat of production or operational disruptions, but also reputational and liability-related exposures.
Now is a great time to adopt a holistic approach to cybersecurity – one that is strategic, structured, and sustainable.
