The second attack surface, according to Ahola, is connected products. “In consumer-facing segments such as automotive and consumer electronics, the number of endpoints can easily be in the millions, and companies have no control over the environments the connected products get exposed to,” he said. Essentially, manufacturing companies face heightened cybersecurity risk because it isn’t enough to protect just the mainframes, software and data that make up any IT system. Each “joint” in the chain of manufacturing steps presents yet another potential point of entry for attack.
This year’s index also contains some eyebrow-raising findings that seem to confirm the old adage that the vast majority of security threats—from old-time espionage to the present-day AI-generated deepfakes—are based on openly available sources. For example, X-Force saw a 44% increase between 2024 and 2025 in the exploitation of public-facing data—a broad category that includes a company’s public website, sales brochures and social media postings.
The good news is that there are plenty of measures manufacturing companies can take to mitigate risk. For starters, Ahola said, organizations need to “take a holistic approach to cybersecurity, covering all of IT, OT and connected products.” Additionally, he advises against fragmented security practices. “Currently, too many companies have separate security organizations for each [department], leading to cracks in the armor and slower ability to detect attacks, as you can’t correlate incidents across your entire business.” In other words, in an industry riddled with large and varied attack surfaces, siloing adds insult to injury.
