Gonzalo Sanz Segovia | 22/07/2025
Data centers face various risks that may compromise their proper functioning, among them power failures, extreme environmental conditions, human error, cyberattacks and fire. Implementing preventive measures and early detection systems are the key to minimizing negative impact.
Data Protection Centers (DPC), known as data centers, are the bedrock of IT services infrastructure. They store, process and distribute enormous volumes of information and range in size from a single floor of a building to an entire complex. Reliable operation requires specific construction and technological conditions. But what risks do they really face? We discuss the subject with Francisco José Herrera Luque, cybersecurity and operational risk expert at the European Central Bank, who is also a professor on the Master’s in Cybersecurity at the Comillas Pontifical University (ICAI).
“From a security perspective, the main risk we’re talking about is the availability of the service offered by the data center, meaning the servers it holds can operate normally,” explains Herrera. This availability can be compromised by multiple factors, from a power outage to insufficient connectivity, or by failures in the physical or environmental conditions required by servers, or problems in the building structure itself. In all these cases, the unavailability of the service provided can result in sever financial losses for the companies that depend on these systems. As such, it’s essential to be prepared for any threat that jeopardizes the correct operability of a data center.
Main data center risks
Among the multiple risks facing a data center are environmental threats, especially if it’s located in an area prone to flooding or earthquakes. These facilities have specific construction characteristics, and failure to follow these requirements could result in the facility collapsing. Another critical risk is the loss of electricity supply: having enough power and robust network connectivity is vital. Controlling physical and environmental conditions is also key, as excessive temperatures, humidity and dust can cause faults and halt the service.
However, the most frequent risks usually arise from human error and technical failures. “Mistakes can be made in maintenance operations, poor configurations can interrupt a section of the network, or something stops working because of a sub-optimal configuration,” says Herrera. Technical elements also have a useful life, which means preventive maintenance is important, so that elements are switched out before they fail. Even so, incidents in a data center are not very frequent, according to the cybersecurity expert. “Any configuration change needs to be made in line with a pre-established plan, and if an incident occurs during execution or something unforeseen happens, you retrace your steps and find out what went wrong.”
Herrera also makes a distinction between a cyberattack and a cyber incident: both compromise the confidentiality, integrity and availability of the information or systems, but differ in origin. If the event is intentional, it’s considered a cyberattack, but when it happens by mistake, it’s called a cyber incident. The first group could include sabotage, where the DPC ceases to operate as a result of a network connectivity or electricity supply interruption, or getting someone from the maintenance team or provider to tamper with the system or install malware.
Prevention measures
The old saying “Prevention is better than the cure” applies particularly to data centers. That’s why they incorporate preventive measures and feature multiple redundant resources. “The best mitigation, the most powerful tool to avoid unavailability, is ensuring sufficient redundant elements are in place so that if one aspect fails, processes are redirected. This approach gives you the best guarantees,” advises Herrera. For example, properly dimensioned and duplicated external connections prevent the data center from becoming isolated.
Even with monitoring and detection systems and response protocols in place, prevention is the most vital aspect of security in a data center, and runs the gamut from basic things like location, structural design or floor type to more critical factors like electricity supply, connectivity, rack types or cooling systems. “DPCs can cost hundreds of millions of dollars to build. Certain elements are more configurable, such as problem detection: environmental, humidity, contamination, access controls, movement sensors and that kind of thing. But the bulk of the cost goes back to preventive controls,” the expert stresses.
Security controls and detection measures
Security in a data center also involves protecting the confidentiality and integrity of information. For this purpose, physical security controls are applied in the server room so that nobody goes in and installs a device that shouldn’t be there, as well as logic security controls designed to avoid espionage.
Access to the servers is very restricted: prior authorization, a specific action plan and a specific time frame are required before entering the server room, and all movements are tracked. Most employees are located in another area, and they must be properly trained and be able to detect danger, as in addition to knowing how to do their jobs, “they may be the target of social engineering, because they are also a control point,” explains Herrera.
Data centers are equipped with systems that monitor all critical parameters to guarantee the correct functioning of the servers. They also have closed television circuits, intrusion detectors, physical barriers, fire-resistant doors, and security guards.
The servers are usually stacked in black cabinets, in rooms equipped with pollution filters and fire protection systems. In another space, operators attend to the monitoring and control systems. “When alerts occur, operators know what procedure to follow, be it redirecting traffic, adjusting the temperature, etc. Depending on the size and complexity of the installation, these controls are more or less sophisticated,” says Herrera.
Responding to incidents: planning and redundancy
When server failures occur, continuity plans are activated that allow essential operations to be maintained until the incident is resolved. Data centers have uninterrupted power supply systems, diesel generators, multiple cooling systems, in case one fails, as well as various backup electronic systems. Contracts are negotiated with providers to guarantee supply that include penalties if commitments are not met.
“The cost of a stoppage is so high that it’s worth having everything redundant across multiple points,” says Herrera, who is in favor of distributing servers in different data centers. In fact, according to a report from the Ponemon Institute, the average cost of an unplanned stoppage in a data center could be as high as 8,000 euros per minute.
In any case, Francisco José Herrera stresses that it’s not enough to just design contingency plans – they also need to be tested regularly. “Contingent capabilities are designed and tested in peacetime, because when the incident arises, there’s no room to react. If they don’t work as planned, you’re lost,” he concludes.
ARTICLE COLLABORATORS:
Francisco José Herrera Luque is an expert in Cybersecurity and Operational Risk at the Directorate General for Market Infrastructure and Payments at the European Central Bank, and Professor of the Master’s Degree in Cybersecurity at the Pontifical University of Comillas (ICAI) in Madrid. A telecommunications engineer from the Carlos III University of Madrid, he has 15 years of experience in the field of cybersecurity in various positions, covering the three lines of defense and encompassing the academic field (as a researcher at the Carlos III University of Madrid and Deutsche Telekom Laboratories), security operations (as a security engineer at Airbus Military), consulting, and managed security services as Team Leader and Manager at Deloitte Cyber) and central banking, as Technology Risk Inspector for the Single Supervisory Mechanism at the Bank of Spain and as Cybersecurity Expert for the internal cybersecurity of the Bank of Spain and for the security governance of the European Central Bank.
