Reach security professionals who buy.

850K+ monthly readers 72% have budget authority
Advertise on SecureIoTOffice.world →

The numbers are stark, and they landed this morning.

New ESET research published April 1, 2026 reveals that 78% of UK manufacturers — nearly four in five — suffered at least one cyber incident in the past twelve months. More than half of those incidents resulted in direct revenue loss. In over half the worst cases, losses exceeded £250,000 from a single incident.

And yet — here’s the number that should alarm every board member and CEO reading this: only 22% of UK manufacturers have cybersecurity represented at executive or board level.

The rest treat it as an IT department problem.

That gap is not just a security issue. It’s a business continuity issue, a regulatory issue, and, as Jaguar Land Rover’s shareholders discovered last year, a shareholder value issue.

This article is written for business leaders and IT managers in UK manufacturing who need to understand what’s actually happening, why the traditional IT-focused response is insufficient, and what concrete steps to take to protect their operations.

The Scale of the Problem: What the Numbers Mean for Your Business

Let’s put the ESET statistics into business terms:

78% hit in the past year. This isn’t a small-business problem or an SME problem — this is a sector-wide phenomenon. If you’re in UK manufacturing and haven’t had an incident, you’re in the statistical minority. And if you haven’t had a detected incident, that’s a different question.

Over half experienced revenue loss. Cyber incidents in manufacturing don’t just create cleanup costs — they stop production. Every hour a production line is down is revenue that doesn’t come back.

Losses over £250,000 in the worst cases. For a mid-market manufacturer, a quarter-million-pound incident is not an abstract risk. It’s a material impact on the P&L.

1 in 5 have limited or no threat visibility. One in five manufacturers cannot tell you what’s connected to their network, what traffic is normal, or whether they have an active intrusion. They are, in the language of security, flying blind.

~50% see AI-assisted attacks as their top future threat. And they’re right to be concerned — attackers are deploying AI to automate and scale attacks in ways that will make the current statistics look mild.

The Jaguar Land Rover Benchmark

No discussion of UK manufacturing cybersecurity in 2026 can skip the JLR attack, because it changed the frame of reference for every risk assessment in the sector.

What happened:

  • A cyberattack hit Jaguar Land Rover in late August 2025
  • By 22 September, all production lines — UK, Slovakia, Brazil — had stopped
  • Workers were sent home and told to apply for Universal Credit
  • Supply chain companies dependent on JLR went into crisis
  • Full production restart didn’t happen until October

What it cost:

  • £196 million in direct exceptional costs (incident response, IT rebuilding, forensic investigation)
  • £500 million quarterly net loss — swinging from a profitable position
  • £1.9 billion total UK economic impact per the Cyber Monitoring Centre’s Category 3 assessment (their most severe category for systemic events)
  • Supply chain companies across tiers 1, 2, and 3 — impacts still being quantified

What it means for you:

JLR had a dedicated security function. They were not a small business with no IT department. They had resources. And the attack still cost them £1.9 billion in economic impact, weeks of production downtime, and thousands of threatened jobs.

The question for your business is not “could this happen to us?” — it demonstrably can. The question is: “what would a JLR-equivalent disruption cost us, and what are we doing to reduce that risk?”

If you run a manufacturer with £50 million in annual revenue and your production lines are down for two weeks, your losses might be £2–4 million in direct costs plus supply chain penalties, customer relationship damage, and reputational impact. Scale the JLR number to your size. That’s your risk exposure.

Why This Is a Boardroom Problem, Not an IT Problem

The 22% boardroom representation figure is the root cause finding in the ESET research. It explains much of the sector’s vulnerability, and it reflects a fundamental misunderstanding of what cyber risk means in a manufacturing context.

The IT Security Mental Model (Wrong for Manufacturing)

Most business leaders’ mental model of cybersecurity is shaped by data breaches: hackers steal customer data, there’s a regulatory fine, maybe some reputational damage. That’s an IT problem because the risk is to data systems.

Manufacturing cyber risk is different in kind, not just degree:

In manufacturing, the attack surface is the production floor.

Modern manufacturing facilities are deeply networked. ERP systems connect to production scheduling. Sensors stream data to cloud analytics. PLCs (the computers that control physical machinery) connect to corporate networks for remote monitoring. Industrial IoT devices are everywhere.

When attackers get in — and as ESET’s research demonstrates, they regularly do — they can reach the systems that control physical equipment. The risk isn’t data theft. The risk is production stops.

A PLC controlling a conveyor belt doesn’t know the difference between a legitimate command and a malicious one. A SCADA system managing energy distribution across a facility doesn’t distinguish between an authorised operator and a ransomware tool encrypting its configuration files.

When those systems are compromised, the factory floor stops. And unlike a data breach, which can often be managed without halting operations, a compromised production control system can mean instant, total production loss.

The COO Problem, Not the CIO Problem

The logical consequence: OT (operational technology) security should report to the COO, not the CIO.

The people who feel the pain of a production stoppage are operations, not IT. The people who understand the business impact are the COO, the production director, the manufacturing VP. When cybersecurity reports only through the IT function, the operational consequence of security decisions is often invisible to the people responsible for production continuity.

This isn’t an argument against IT involvement — IT is essential. It’s an argument that the executive sponsor for manufacturing cybersecurity should be operations-side, with a clear mandate to integrate security into operational risk management.

The OT/IT Convergence Problem: Why Your Factory Is Now Exposed

To understand why manufacturing is so vulnerable, you need to understand what changed in the last decade.

Ten years ago, factory floor control systems were largely isolated. Your PLC that controlled the assembly line had no connection to the corporate network. Your SCADA system that managed utilities was a closed system. This “air gap” provided security through isolation.

That isolation is gone. And in most cases, it was intentionally removed in the name of digital transformation.

Today’s smart factory has:

  • Real-time ERP integration — sales orders automatically trigger production scheduling, which means a path exists from the corporate network to production systems
  • Cloud-connected analytics — sensors stream production data to cloud platforms so engineers can predict equipment failures, which means OT systems have outbound internet connectivity
  • Remote maintenance access — equipment vendors need to remote in for support and firmware updates, which means third-party VPN access to OT networks is normal
  • Industrial IoT everywhere — hundreds of connected sensors, cameras, and devices on the factory floor, many with consumer-grade security
  • Mobile and wireless — WiFi and cellular networks covering the production floor, with tablets, scanners, and mobile HMIs

Each of these is operationally valuable. Each is also an attack path.

The Mid-Market Vulnerability Gap

Large manufacturers like JLR have dedicated OT security teams, industrial security contracts with specialists like Dragos or Claroty, and mature incident response capabilities. They still got hit.

Mid-market manufacturers — the £10m to £200m revenue businesses that form the backbone of UK industrial output — typically have:

  • An IT manager who’s responsible for “all the technology”
  • No dedicated OT security resource
  • Production control systems from multiple vendors, some legacy, some modern
  • Network designs that were built for efficiency, not security
  • No OT-specific incident response plan

The ESET research doesn’t break down the 78% figure by company size, but industry practitioners consistently note that mid-market manufacturers are disproportionately exposed — too large to be low-value targets, too under-resourced to have mature defenses.

The AI-Assisted Attack Threat: What’s Coming at You Next

Nearly half of UK manufacturers surveyed identified AI-assisted attacks as their biggest future cyber threat. This isn’t just anticipatory worry — the capability already exists and is being deployed.

What AI-Assisted OT Attacks Actually Look Like

1. Lowering the OT expertise barrier

Attacking industrial control systems used to require specialist knowledge — understanding Modbus protocols, knowing how Siemens S7 PLCs work, understanding SCADA network architectures. AI tools now allow attackers with general IT skills to generate attack playbooks for specific OT environments from a network scan. The specialist knowledge barrier has collapsed.

2. Social engineering your operational staff

Operational technology environments depend heavily on human judgment — operators who receive instructions, engineers who respond to alarms, technicians who accept remote access requests. AI-generated deepfake audio and video can convincingly impersonate your equipment vendors, your own engineers, or your plant management.

An operator receiving a convincing deepfake call from someone who sounds exactly like their Siemens support engineer, explaining why they need temporary VPN access at 2am, is a much higher-value target than a generic phishing email.

3. SCADA and PLC vulnerability discovery at scale

AI tools can automate vulnerability discovery in industrial protocols far more efficiently than human researchers. New vulnerabilities in OT systems that previously took months to discover are being found faster — and attackers have access to the same tools as defenders.

4. Adaptive ransomware that knows your environment

The evolution of manufacturing ransomware is toward environment-awareness. Rather than generic encryption that hits whatever files it finds, AI-assisted malware can identify your specific production control systems, target the configuration files and PLC programs that are hardest to restore, and maximize production downtime pressure to maximize ransom leverage.

The implication: attackers are getting better at manufacturing-specific attacks faster than most manufacturers are improving their defenses.

The Regulatory Reality: NIS2, the CSR Bill, and Personal Liability

The regulatory landscape for manufacturing cybersecurity is changing materially in 2026, and business leaders who aren’t paying attention will be caught off-guard.

EU NIS2 Directive (Already in Force)

The EU’s Network and Information Security 2 (NIS2) Directive explicitly includes manufacturing in its scope for the first time. If your business has EU operations, EU customers, or is in a critical product manufacturing category (semiconductors, medical devices, and others), NIS2 applies to you now.

Key NIS2 requirements for manufacturers:

  • Documented cybersecurity risk management covering OT/IT environments
  • Supply chain security requirements — you’re responsible for assessing your critical vendors’ security posture
  • 24-hour incident notification (initial) and 72-hour full notification to competent authorities
  • Penalties up to €10 million or 2% of global turnover
  • Personal liability for management — NIS2 creates legal accountability for senior executives who fail to approve and oversee cybersecurity risk management

That last point deserves emphasis. NIS2 doesn’t just fine the company. It creates personal liability for the individuals responsible for approving cybersecurity risk management. If you’re a director of a manufacturing company with EU exposure, this is your personal risk.

UK Cyber Security and Resilience (CSR) Bill

The UK’s domestic equivalent is progressing through Parliament. Key differences from NIS2 for UK manufacturers:

  • Direct regulation of certain critical suppliers in manufacturing supply chains
  • Potentially higher penalties than NIS2 for UK-registered entities
  • Dual reporting obligations for companies operating in both UK and EU jurisdictions
  • Extended scope under consultation — the bill may cover broader manufacturing categories than the existing NIS Regulations

The government has indicated that the CSR Bill will substantially increase regulatory expectations for manufacturing cybersecurity. Waiting for final passage before preparing is a strategy that has burned many compliance teams.

Practical Regulatory Checklist

  • Does NIS2 apply to your business? Check EU operations, customer locations, and whether your products fall in critical manufacturing categories
  • Who is your NIS2/CSR competent authority and how do you contact them in an incident?
  • Do you have documented cybersecurity risk management that covers OT systems?
  • Is your supply chain security assessed — particularly vendors with access to your OT environment?
  • Is cybersecurity formally on your board risk register with executive ownership?

Making the Business Case: The Boardroom Conversation

If you’re an IT manager or security professional trying to get board attention, or a CEO trying to frame this correctly for your leadership team, here’s how to structure the conversation.

Frame It as Operational Risk, Not IT Risk

The framing that lands in boardrooms:

“Our production systems are networked. If they’re compromised, production stops. Based on JLR’s incident timeline, a serious attack could stop our lines for 2-4 weeks. At our production rate, that’s £X million in direct losses plus supply chain penalties. Our current OT security posture means we cannot detect an intrusion until production has already been affected.”

That’s a COO and CFO conversation, not a CIO conversation. The numbers are operational and financial, not technical.

Use the JLR Number

The Cyber Monitoring Centre quantified JLR’s economic impact at £1.9 billion. Calculate what an equivalent production stoppage would cost your business at your scale.

For a manufacturer with:

  • £50m annual revenue: 2-week shutdown ≈ £2m lost revenue + £500k-£1m incident response costs
  • £200m annual revenue: 2-week shutdown ≈ £8m lost revenue + £2m+ incident response costs
  • Supply chain penalties, customer compensation, and reputational damage are additional

Put that number in front of your board, then present the cost of the security improvements you’re proposing. The investment-to-risk ratio is usually compelling once the risk is quantified in operational terms.

Request a Tabletop Exercise

The most effective board education tool for manufacturing cybersecurity: a 2-hour tabletop exercise where the scenario is “your SCADA system has been compromised and production is stopped.”

Walk the board through:

  • Who do you call first? (Most don’t know)
  • When do you notify customers? (Few have a defined threshold)
  • When do you go public? (Regulatory and reputational considerations differ)
  • What’s your cyber insurance position? (Many don’t know the exclusions)
  • What’s your manual fallback procedure? (Critical question — can you operate at all without your SCADA?)

This exercise builds visceral understanding of the risk that no written report achieves. Book it now.

90-Day Action Plan for IT Managers

If you’re responsible for technology at a UK manufacturer and need to move from reading this to doing something about it, here’s a prioritized 90-day roadmap.

Days 1–30: Understand Your Exposure

Week 1: Map Your IT-to-OT Connections

  • List every firewall rule, VPN tunnel, and direct connection between your corporate IT network and the production/OT environment
  • Identify all remote access paths into OT systems — vendor access, engineer access, remote monitoring
  • Check default credentials on OT network devices (routers, switches, HMIs) — change any that are default
  • Confirm MFA is required for all remote access to OT systems

Week 2: Know What’s There

  • Identify all legacy Windows systems in the OT environment (Windows XP, 7, Server 2008 are common — and terrifying when networked)
  • List all PLCs, SCADA systems, historian servers, and HMIs — with vendor, model, and firmware version if possible
  • Identify which systems have internet connectivity (direct or via corporate network)

Week 3: Quick Wins

  • Patch all Windows systems in the OT-adjacent network that can be patched without production impact
  • Review and remove any unnecessary IT-to-OT firewall rules
  • Revoke stale vendor access credentials — vendors who haven’t needed access in 90 days don’t need standing access

Week 4: Business Case Preparation

  • Use your mapping to quantify the exposure — how many paths exist from the internet to your production systems?
  • Calculate the operational impact of a 2-week production shutdown at your scale
  • Prepare a one-page briefing for your COO/CEO/board

Days 31–60: Improve Detection and Segmentation

Segmentation:

  • Verify your IT and OT networks are separated by a properly configured firewall — not just a router
  • Ensure OT remote access uses dedicated jump servers with session recording, not direct VPN access to the OT network
  • Separate production OT from utilities OT from engineering networks if on the same flat network

Detection:

  • Deploy a passive OT monitoring tool (options: Nozomi Networks, Claroty, Microsoft Defender for IoT, Dragos) — start in discovery mode, no active scanning (active scanning can crash PLCs)
  • Configure alerts for: new devices appearing on the OT network; unusual outbound connections from OT systems; login attempts outside business hours
  • Connect OT alerts to your IT team’s monitoring — OT incidents should not be invisible

Days 61–90: Resilience and Governance

Resilience:

  • Document manual fallback procedures for your top 3 most critical production processes — if SCADA goes down, what’s the manual operation procedure?
  • Verify backups exist for SCADA configurations, PLC programs, and historian data — and test restoring from them
  • Confirm your incident response retainer (if you have one) covers OT/ICS incidents — most IT-focused IR firms don’t have OT expertise

Governance:

  • Present your 90-day findings and proposed roadmap to the board — use operational impact language
  • Get OT security formally into the COO’s risk register, not just IT’s
  • Assign a named executive owner for OT security risk
  • Define OT security KPIs: asset visibility %, MFA coverage on remote access %, open critical vulnerabilities

The Bottom Line for Business Leaders

The ESET research confirms what security practitioners have been saying for years: UK manufacturing is under sustained, severe cyberattack. The JLR incident proved the worst-case scenario is real, not theoretical.

Four things are true right now:

  1. The threat is getting worse, not better — AI-assisted attacks are lowering the skill barrier for attackers targeting OT environments
  2. The regulatory stakes are rising — NIS2 and the CSR Bill create personal liability for executives who don’t act
  3. The boardroom gap is the root cause — 78% attacked, 22% with board-level cyber engagement is not a coincidence
  4. The investment to close the gap is modest relative to the risk — the cost of the OT security improvements in this article is a fraction of one week’s production downtime

The manufacturing sector has two options: get ahead of this with deliberate investment and board-level commitment, or wait until an incident forces the issue at JLR-equivalent cost.

The IT manager reading this knows what needs to happen. The job now is getting it to the right people with the right frame: this is an operational risk conversation, and the cost of inaction is measured in production weeks.

Resources for Business Leaders

  • ESET Research: UK Manufacturers Under Cyber Fire — The Register (April 1, 2026)
  • Jaguar Land Rover cyberattack economic impact — Cyber Monitoring Centre (Category 3 assessment)
  • NIS2 Directive official text — EUR-Lex
  • UK Cyber Security and Resilience Bill — Parliamentary progress tracker
  • NCSC Cyber Assessment Framework for manufacturing — ncsc.gov.uk
  • NIST SP 800-82 — Guide to Operational Technology Security (free)
  • IEC 62443 — Industrial automation cybersecurity standard
  • CISA ICS-CERT — Free advisories and alerts for industrial control systems (us-cert.cisa.gov/ics)

Secure IoT Office covers OT and IoT security for business leaders and IT managers — practical guidance without the jargon. Because the boardroom gap is a bigger risk than the technical gap.