Closing the 19-day security awareness training gap in the manufacturing sector

At 6:18 am, just before a line starts, a maintenance supervisor gets a message about an urgent software update for a production asset. The timing feels believable. The wording sounds technical enough. The request looks like one more task to clear before the shift begins. By the time anyone questions whether the update is real, the attacker may already have reached a workstation, a remote-access path, or an engineer’s credentials.

According to SoSafe’s 2026 study, 67% of surveyed EU security professionals reported an increase in the number of AI-engineered attacks over the last 12 months and 71% reported an increased scope of AI attacks. 

The  same study found out that 19 days is the average time organisations take to update overall defences, refresh the guidance and training employees rely on, and measure whether the update actually changed behaviour after a new threat appears. Manufacturing made up 10% of respondents. 

In this sector, that delay can multiply operational risk because the same social engineering tactic can move from corporate systems into plant operations before the organisation has translated one incident into changed controls, changed guidance, and changed behaviour.

TL;DR

This article explains why the 19-day gap is especially risky in manufacturing, where social engineering often targets remote access, software updates, shared devices, vendors, and frontline workflows. It also shows how security leaders can shrink that gap by connecting faster reporting, role-based reinforcement, and behavioural proof into one adaptive human risk management loop.

Why the gap creates different risks in manufacturing

Manufacturing attracts attackers because even a routine-looking request can lead to downtime, access loss, or operational disruption if it slips through.

A remote support request, a maintenance update, a supplier document, or a help desk reset can all look routine while still opening a path to credentials, remote access, or production disruption. In Verizon’s 2025 snapshot, use of stolen credentials appeared in 34% of manufacturing breaches, phishing in 19%, and ransomware in 47%. At the same time, ENISA’s Threat Landscape 2024 says industrial and manufacturing sectors were the most frequently targeted by ransomware.

The social engineering side is getting sharper too. Kaspersky ICS CERT’s report describes campaigns targeting manufacturing with personalised spear-phishing lures that impersonated legitimate software updates and sensitive internal documents. Dragos’s industrial ransomware analysis adds the wider context: manufacturing remained the most impacted industrial sector, while attackers kept exploiting supply-chain and remote-access weaknesses.

Where the 19 days disappear in manufacturing operations

One alert has to cross IT, OT, engineering, and site leadership

A suspicious message may be spotted quickly. The slowdown usually starts after that. In the manufacturing industry, the control change often sits with one team, the site communication with another, the shift brief with a supervisor, and the training update somewhere else again. The delay builds in the handoffs.

That is why manufacturing leaders often feel behind even when detection was not the real problem. One incident has to become one decision across identity, remote access, engineering workstations, plant leadership, and frontline communication. If those paths are disconnected, the organisation learns slowly.

Digital-only training misses the people closest to the line

This is where manufacturing differs sharply from office-heavy sectors. The people closest to operational risk are often not sitting in a learning portal all day. Cigref notes that the training needs to be adapted to the context of the organisation and the work environment, and it warns that the reality of the environment on the ground and the digital divide can block adoption. 

According to a Unisys and ISG frontline worker survey, among the industries surveyed, manufacturing frontline workers were the most likely to rely on paper-based communication for information sharing, and many organisations still depend on shared or non-portable devices. 

That is why digital-only awareness often becomes background noise on the plant floor. It reaches the inboxes that are easiest to reach, not always the people making decisions around machines, maintenance, quality, or vendor access.

Sending the warning is easier than proving it worked

Most teams can issue a warning faster than they can show whether it changed anything. Did reporting improve on the line? Did supervisors challenge unusual vendor requests more often? Did the same lure stop working on the same site?

That is where the 19-day gap becomes a measurement problem. If the only proof is that a message was sent or a module was assigned, the next delay has already started. 

Manufacturing leaders need evidence that behaviour changed where downtime, safety, or process integrity are actually exposed.

See how security leaders are benchmarking adaptation speed and behavioural readiness against AI-driven manipulation.

Read the full report

What manufacturing security leaders should audit first

Start with the workflows that can change plant operations quickly: remote support, engineering software updates, shared workstation logins, supplier requests, and any approval path that can alter access or production settings.

Then look at the reach. Which parts of the workforce hear about a new tactic in minutes, and which only hear about it at the next shift brief, toolbox talk, or supervisor cascade? In manufacturing, that gap is often wider than leaders think.

Finally, check for proof. If you cannot see reporting patterns, repeat exposure, or role-specific behaviour change by site or function, the organisation is still flying by completion rates.

How manufacturing security teams can close the training gap faster

The strongest response is not another annual refresher. It is a tighter loop. Catch the signal early. Turn the live tactic into current reinforcement. Push it through channels frontline teams will actually see. Then measure whether reporting, challenge behaviour, and risky actions changed.

That is where a more adaptive human risk management approach becomes useful. 

Manufacturing security teams need a way to centralise reporting and triage, mirror live lures into safe practice quickly, reinforce roles differently across plant, engineering, and corporate teams, and measure whether the organisation is becoming harder to manipulate over time. That is  SoSafe’s approach. Less manual drag, more relevant reinforcement, and clearer proof that one incident actually led to learning.