I have visited many companies in my 25 years in IT. Some were open space with dogs roaming the offices. Others required you to announce your name before they allowed you inside. One place required a thumb print and retina scan before you could access their servers. Physical security for your servers is essential. Someone can come in and just take your data and access it.
However, many of these clients that are VERY security conscious leave easy access to those same servers electronically. One overlooked items is user accounts. When an employee leaves, many businesses have no process to disable accounts, email, and mobile devices. These former associates might as well have keys to the server room. I have seen companies that have 80 active user accounts from over 10 years but only 20 employees! If you think this happens to small companies, this recently occurred with a large athletic shoe company. They had a former employee go to a competitor and used his old credentials to gather intelligence on his former company.
Does your current IT have a process to regularly check accounts as well as who might have remote access to your sensitive data? If not, you might as well leave your doors open on your way out at night
More on the shoe company security fiasco: