Welsh manufacturers have been given a stark but practical overview of the rising cyber risks facing the sector and the simple steps that can prevent a crisis.
At a recent Manufacturing Wales event, hosted in partnership with PureCyber, PureCyber founder and CEO Damon Rands set the tone early with a powerful analogy, saying that working with cyber specialists is “a bit like having private healthcare – it won’t stop you getting ill, but it will help you detect, diagnose, treat and recover far more quickly.”
For manufacturers, whose operations rely on interconnected machinery and uninterrupted workflow, that difference can be existential, the event heard.
Damon Rands outlined three starting points for businesses overwhelmed by where to focus their cyber efforts:
- Audit what you have
What data do you hold, where does it live, and what systems talk to each other? Many manufacturers couldn’t answer this confidently, and that’s the first danger. - Identify vulnerabilities
During the panel session, vulnerabilities ranged from ageing equipment still running on obsolete Microsoft systems, to staff logging on from home networks, to unsecured mobile devices on factory floors.
These risks are diverse, sector-specific, and often invisible- until they aren’t. - Strengthen governance
What processes tell you something is wrong? How well are staff trained? How quickly can you respond when an issue surfaces?
A key message at the event was: Cyber Essentials is the first technical standard to aim for, but it shouldn’t be delivered by your existing IT provider.
Because Cyber Essentials is self-certified, relying on the same company that manages your IT to also verify your cyber resilience creates a natural conflict of interest, attendees were told. As one member put it, “How do you know they’re telling me the truth, and not simply selling you more products?”
The panel also highlighted a crucial operational gap: most IT companies lack the forensic and defensive capability needed when an incident occurs. That’s where cyber-specialist firms play a fundamentally different role, the event was told. The conclusion was that IT providers and cyber security providers often work in an efficient partnership to manage and protect digital environments, and that partnership between your IT company and a company specifically with Cyber expertise can be the most effective and powerful combination.
Recent attacks on Jaguar Land Rover and Marks & Spencer were cited as high-profile examples not simply of failure, but of complexity. Despite significant investment, both organisations suffered because different providers were responsible for different parts of the security posture, and each assumed someone else was covering a key area. Fragmentation created the gaps that ransomware attackers exploited, so ensure that, if you are using different providers, you a clear about what exact service you are receiving from each one.
Manufacturing Wales Chair Simon Pritchard said that for manufacturers juggling production schedules, safety requirements and supply-chain commitments, finding those gaps internally can feel impossible. But as he concluded the most important thing is that you just need to start somewhere.
A Practical Roadmap for Manufacturers:
- Conduct an audit
Know what data you have, understand your networks, identify what machinery is network connected, and note the operating systems behind them. - Penetration test
How easily could someone break in? What could they take? And how long would operations halt if they did? - Defend
Once you understand your assets and weaknesses, you can create a targeted protection plan, not just a generic IT upgrade.
For those ready to go further, the panel highlighted Cyber Essentials Plus, ISO 27001, and IASME Assurance Level 1 as future steps.
The Supply-Chain Reality: Compliance Is Coming
One of the clearest warnings from the event was that large primes increasingly expect Cyber Essentials as part of their due diligence. This pressure is cascading down the supply chain – from OEMs to tier-ones and right through to micro-SMEs. For manufacturers supplying automotive, aerospace or defence, the shift toward mandatory accreditation is accelerating. Those who delay will fall behind their competition.
Panel members described the current cyber landscape as “the Wild West”, crowded with misinformation, contradictory advice and inconsistent standards. This leaves many SMEs paralysed, worried about investing in the wrong thing or choosing the wrong provider. Training and support from specialist firms like PureCyber were highlighted as essential to cutting through the noise.
A powerful analogy closed the session: cyber security today is like a 1980s construction site where the risks were huge, standards were patchy, and regulation was coming forward in a piecemeal way. Just as health and safety has transformed over time, so too will cyber expectations and manufacturers must modernise before they’re forced to.
Manufacturers are now prime targets for ransomware groups, the event heard, with downtime costs huge. Recovery is slow and expensive and reputational damage can be fatal. The message from Manufacturing Wales and PureCyber was that doing nothing is no longer an option. Start with Cyber Essentials. Look beyond your IT provider and seek specialist cyber support, because when things go wrong, they go wrong fast and the cost of prevention is far lower than the cost of an attack, they advised.
