Cyberattacks on manufacturing environments threaten not only data but also uptime, safety, and supply chains. Technology investments alone can’t close these gaps; security must be embedded into culture.
If one employee’s seemingly innocuous click can stop production for weeks, how secure are your operations really?
The 2025 Jaguar Land Rover (JLR) cyber incident was a wake-up call for every manufacturer.
In case you didn’t hear about it, here’s what happened: In late August, nefarious actors affiliated with the “Scattered Spider Group” slipped in through employee credentials stolen using malware, quietly moved through internal systems, and ultimately forced a production shutdown throughout September and into early October that rippled across JLR’s global supply chain.
According to the BBC, the incident led the automaker to incur £485 million in losses and another £196 million in cyber-related costs, resulting in a 24% drop in Q3 revenue. Not only did the breach halt car production and cause financial losses, but it also affected JLR’s workers, suppliers, and customers.
Incidents like this show why a security-first culture isn’t optional anymore. Yet often, companies over-invest in tools and under-invest in the one element that truly defines resilience: culture. When every employee becomes a potential entry point, organizations must build security into daily habits.
Here’s what to know about building a security-first culture across IT and business.
Why Tools Alone Don’t Solve the Problem
Technology can only secure what it can govern, and in manufacturing, the environment is uniquely complex. Operational Technology (OT), Industrial IoT (IIoT), and enterprise IT networks have converged to pursue efficiency, significantly expanding the attack surface.
The challenge is that many foundational OT systems, including PLCs, SCADA, and DCS, were designed for continuous availability and stability, rather than with native cybersecurity in mind. When connected to the IT network, these systems expose themselves to the outside world, creating a high-risk scenario in which disruptions to information flow can lead to unauthorized modifications and even endanger human life.
Ultimately, security is only as strong as the least-aware user or the least-governed process. A recent data breach report shows that human error accounts for 60% of data breaches. This means that investing solely in tools is futile if the culture and behavior fail to support secure practices. Culture is the essential force multiplier that makes your substantial technology investments truly effective and turns employees into the organization’s most trusted line of defense. And with executive buy-in and leadership, you can avoid creating a culture where people assume that “security is someone else’s job”.
Foundations of a Security-First Culture
The foundation for a security-first culture has three parts:
- Shared Accountability Across IT, OT, and Leadership
Security and OT may appear to have competing priorities, with one focusing on data confidentiality and the other on continuous availability. To move forward, you must formalize governance by creating a structure that truly shares risk accountability, leveraging OT’s safety and engineering knowledge alongside IT’s cyber expertise. After all, why should the CISO be held accountable for security outcomes when they only control a fraction of the organization’s people, processes, and budgets?
- Integrating Security into Core Business Outcomes
Security initiatives must tie to the metrics your executives care about: guaranteed uptime, waste reduction, and worker well-being. Look at it this way, in the long term, securing your industrial sensor networks doesn’t add cost; it’s a smart investment in predictive maintenance that actively prevents costly, unplanned downtime.
- Embedding Security into Daily Decision-Making
Finally, security considerations are baked into every aspect of the organization, from the shop floor to the boardroom. This includes mandatory security sign-offs during procurement and project management, especially for connected products, where vulnerabilities can pose significant safety risks to end users.
Practical Playbooks for IT Leaders
To make this security-first culture work, you need clear, executable strategies:
Frontline Training
One-off annual security awareness training won’t cut it. Your frontline employees need continuous, role-specific upskilling that connects cyber practices (such as phishing awareness) directly to industrial safety protocols (such as Lockout/Tagout procedures and emergency action plans). By investing in these learning opportunities, you not only improve compliance but also boost retention, turning your operators into your most effective first line of defense.
Executive Engagement
Get your cybersecurity roadmap on the board’s agenda. Position Zero Trust not as a heavy compliance requirement, but as the essential business enabler for secure cloud adoption, remote capabilities, and agile innovation.
Cross-Functional Security Councils
Create an official, empowered IT/OT Security Council. This decision-making body must include leaders from operations, safety, and IT security. Its purpose is to formalize shared accountability, ensuring that all functional heads are obligated to implement agreed-upon actions and effectively harnessing collective institutional knowledge.
Governance and Metrics
Governance must align with relevant regulatory demands. Crucially, success should be tracked using behavior-based Key Performance Indicators (KPIs). For example, measuring reductions in policy or audit violations and the completion rates for role-specific training can help gauge whether your security posture is improving.
Zero Trust as a Cultural Mindset
Zero Trust is more than a technical framework. Adopting this principle as a mindset fundamentally changes the way people think about trust, access, and workflows, thereby improving the security posture.
Ensure your organization is doing the following:
- Verifying every user, every device, every connection, regardless of origin.
- Segmenting IT and OT networks so that a breach in one area cannot compromise the whole floor.
- Controlling vendor and contractor access tightly.
- Continuously monitoring device behavior even after approval.
When Zero Trust shapes how systems and how people operate, the security posture becomes that much stronger.
Make Security Everyone’s Job
Here is a practical roadmap for manufacturing leaders ready to commit to a lasting security-first culture:
- Conduct a Cultural Assessment: Survey staff, review workflows, and identify behavioral and procedural gaps across IT, OT, and operations.
- Form a Cross-Functional Security Council: Include leaders from all relevant functions. Give them the authority to approve changes, vet vendors, and align operations with security standards.
- Launch Ongoing Awareness Programs: Make training frequent, relevant, and integrated into daily operations.
- Appoint Department-Level Security Champions: Identify and empower individuals in each plant or team who guide behavior, reinforce standards, and act as liaisons with central security governance.
- Standardize Vendor and Third-Party Access Management: Vet and control every external access point to ensure consistency and minimize risk.
- Track and Report Key Metrics Transparently: Use security metrics tied to business outcomes to monitor progress, demonstrate value, and sustain momentum.
When everyone understands their role in protecting production, security becomes part of the company’s identity, not a side job.
Need cybersecurity help? NRI can evolve your posture by providing access to cutting-edge tools and expertise, alongside training your team so that you truly become a security-first enterprise. Schedule a cybersecurity maturity assessment to learn more.
