02 | KEY RISK TRENDS

Key Risk Indicators: Look Deeper than Cyber Ratings to Find Real Risk

On the surface, manufacturing companies appear to have a strong cybersecurity posture. Most are scoring an A or B in cyber ratings, which might suggest a healthy risk environment.

However, this high-level view can create a false sense of security. Cyber ratings only tell a partial story, and even highly rated companies may have key risk indicators (KRIs) that signal immediate danger.

Key risk indicators are forward-looking metrics that serve as an early warning system, predicting potential threats before they escalate into serious incidents. While cyber ratings provide an overall picture of security posture, KRIs uncover the hidden, active vulnerabilities that threat actors are actively exploiting in the wild.

When we look beyond the surface-level ratings, the data reveals a stark reality:

A staggering 75% of manufacturing companies have critical vulnerabilities with a CVSS score of 8 or above.

Over two-thirds (65%) of the companies have at least one vulnerability from the CISA Known Exploited Vulnerabilities (KEV) Catalog, meaning these weaknesses are already being exploited by threat actors.

The number of companies that experienced a ransomware attack increased by 9% compared to the previous year.

of manufacturing companies have critical vulnerabilities with a CVSS score of 8 or above

Cyber Rating Distribution Across Manufacturing Sub-Industries

Cyber Rating Distribution % Across Manufacturing Sub-Industries

Key Risk Indicators

Finding
# of Companies
% of Companies
Change Compared to 2024(%)
Have critical vulnerabilities (CVSS score 8 and above)
787
75.4%
5.1% ⬇️
Have leaked credentials in the last 90 days
154
14.8%
78.4% ⬇️
Have at least one vulnerability from CISA's KEV Catalog
674
64.7%
2.7% ⬇️
Have broken crypto algorithms (SSL/TLS)
575
55.2%
11.0% ⬇️
Have poor name server configuration
103
9.9%
18.9% ⬇️
Experienced a data breach in the last year
55
5.3%
5.2% ⬇️
Have poor name server configuration
47
4.5%
9.6% ⬇️
Experienced a data breach in the last 90 days
47
4.5%
104.4% ⬆️
Have denial of service risk
16
1.5%
30.4% ⬇️
Experienced a ransomware attack in the last year
24
2.3%
9.1% ⬆️

This data points to a dangerous disconnect between perceived security and actual risk.

While overall cyber ratings may appear favorable, the presence of critical, unpatched vulnerabilities and known exploited weaknesses shows that basic security controls are being widely neglected. The significant increases in both data breaches and ransomware attacks are a direct consequence of these foundational issues.

Next, dig into the supply chain’s weak links with specific security posture findings.

PREVIOUS
NEXT