When the Machines Stop the Machines

Manufacturing is now the most targeted sector for ransomware in the world. Attacks surged 56 percent in 2025, rising from 937 documented incidents to 1,466, more than any other industry, while the average ransom demand more than doubled to nearly USD 1.2 million. The hardest hit are not the large corporates with dedicated security teams. They are the SMEs: highly specialised, deeply embedded in critical supply chains, and targeted precisely because they are the path of least resistance to bigger customers.

In Switzerland, the picture is sobering. Roughly 4 percent of SMEs, around 24,000 businesses, suffered a serious cyberattack in the three years to 2024, and about 55 percent of those affected reported financial losses. Confidence is falling; by 2025 only 42 percent of companies considered their protection sufficient, down from 55 percent the year before, and only around 30 percent had an IT security concept, staff training or an emergency plan in place.

And over the past two months, the backdrop has changed fundamentally.

In April 2026, Anthropic withheld its most capable model, Claude Mythos, from public release because it could autonomously discover and exploit software vulnerabilities at machine speed. Run against software and systems under a closed access program and using a coordinated disclosure programme, its public dashboard had logged 23,019 candidate findings by late May, of which 1,596 were judged worth disclosing to maintainers and 88 have so far produced published advisories and patches.

That gap between the headline number and the real signal is the most important thing to understand. Most vulnerabilities, however, they are found, are not practically exploitable in a given environment: they sit behind other controls, require unrealistic preconditions, or live in code that nothing ever reaches. The capability is real and operates at a scale no human team can match, but raw volume is noise. The discipline that matters is knowing which few findings actually expose your organisation and getting to them before someone else.

The events of recent weeks underline why dependency itself is now a risk. In June, Anthropic decided to release a version of the Mythos model but without the “dangerous” capabilities. However, just days after its release, it was jailbroken providing access to some of those capabilities. The US government almost immediately issued an export-control order suspending access to these frontier models for all foreign nationals, including those working for Anthropic. The models were switched off for everyone overnight. A single government can now turn frontier AI capability on or off for entire populations, allies and rivals alike.

For a Swiss manufacturer, the lesson is not which model to bet on. It is that if your operations and/or your defences come to depend on capability that can be revoked by political decree or reshaped by a handful of labs, that dependency must be managed. This is why sovereign, locally run capability has moved from forward-thinking to simply prudent.

Precision manufacturing faces a cybersecurity paradox. On one side, the stakes are exceptionally high: proprietary designs represent decades of investment; position in the supply chain is critical to survival; clients increasingly demand security compliance; and sophisticated attackers target manufacturers specifically for intellectual property theft and operational disruption.

On the other side, resources are limited. Most SMEs cannot justify a dedicated security team. Systems are complex, mixing modern IT with industrial controls that were never designed with security in mind. There is a natural reluctance to update software on production systems where stability and uptime are paramount. And client requirements are often contradictory, demanding both open connectivity and airtight security.

The result is a dangerous gap: immature cybersecurity facing escalating threats. Industry analysis consistently finds the most common factor behind successful manufacturing attacks is simply a lack of in-house expertise to detect and stop an intrusion in time, closely followed by security gaps the organisation did not know it had.

When manufacturers think about cyber risk, they often think about data theft. But for a production-focused business, the damage cascades through the whole operation.

It starts with the immediate cost of understanding the breach, stopping the damage and restoring systems. Then production stops, and every hour of downtime means missed deliveries, contractual penalties and idle capacity. Then comes reputation damage: a company that has been successfully attacked is seen as unable to protect itself or its partners, and customers who lose trust start looking elsewhere, taking revenue with them. For a Swiss SME, even a fraction of the typical ransomware recovery cost, now around half a million dollars at the median, can be existential. 

There is also a commercial dimension that should concentrate the mind of any management team. As insurers lose the ability to measure the risk posed by restricted frontier models, they price uncertainty instead, through higher premiums, narrower cover, or both. A demonstrable security posture is becoming a precondition for affordable, meaningful insurance coverage, not just an IT concern.

Despite the alarming trajectory, basic cybersecurity hygiene still prevents the large majority of attacks. The breaches that actually happen still come overwhelmingly from the boring causes: phishing, stolen credentials, unpatched known vulnerabilities, exposed remote access. 

In practice that means knowing what is connected to your network, including OT systems, cloud services and the AI tools your engineers may be using without your knowledge; deploying critical patches within days, not weeks; maintaining backups tested through an actual restoration, not just configured and forgotten; and controlling and auditing administrative access to sensitive systems.

None of this requires a massive budget. It requires discipline, prioritisation and, for most SMEs, a trusted partner who understands their reality.

The failure mode we worry about most is not only inaction. It is distraction: spending a year and a large budget chasing exotic AI-discovered threats while the unglamorous fundamentals stay broken. In June, NIST published a mathematical proof that no finite set of guardrails can be made universally robust against a determined adversary, and its recommended response is to move from "one and done" controls to continuous monitoring, continuous hardening, and resilience that limits the damage when something does get through. That is the shift from static defence to adaptive resilience, now with a national standards body behind it.

First, establish a solid baseline and build from there. Start with the fundamentals, asset inventory, patch management, access controls and backup validation, and increase maturity progressively. For many SMEs, accessible, purpose-built security solutions can provide this baseline without the complexity and cost of enterprise tools.

Second, build the ability to detect, respond and recover. Prevention will never be fully effective, and with AI-accelerated threats the attacks that get through will move faster than ever. The organisations that come through well are those that detect an incident in hours, contain it before it spreads, and restore from validated backups. Managed detection and response makes a decisive difference for companies that cannot staff a round-the-clock security operation on their own. If something happens at 2am on a Saturday, you need someone on the phone within hours, at a rate agreed in advance, not an emergency premium.

Third, collaborate within your industry and supply chain. Attackers increasingly use small suppliers as stepping stones to larger targets. Your security posture is only as strong as the weakest link in your supply chain, and your customers know it. Sharing threat intelligence, aligning security requirements with partners and joining industry initiatives reduces risk and cost for everyone.

The hardest part, in every conversation we have, is simply knowing where you stand so you can decide where to go. Most organisations still cannot confidently answer "where are we exposed?" in minutes, or "can we deploy a critical patch in 24 hours?" Those are the questions that now decide outcomes.

That is exactly what our Rapid Diagnostic is built for: five priority domains, a traffic-light readiness snapshot, your top five gaps, and a board-ready one-page summary, delivered in about a week. The cost can be credited, in part or in full, against any follow-on service you choose to engage. For a fast first read, we also offer a free 5-minute readiness check with an overview you can share with management.

We work with Swiss manufacturers every day, from highly specialised SMEs to mid and large-sized industrial groups. We understand that security cannot come at the expense of production, that solutions must be practical and proportionate, and that the priority is simple: keep the business running. Whether you need a baseline solution that deploys in minutes, managed detection and response that watches your back around the clock, or a structured assessment of where you stand, we are here to help you do the quiet, unglamorous work, and get fast at it.

ELCASecurity. Swiss cybersecurity: We protect what matters

• inside-it.ch and Ransomware.live, Hoerbiger / Akira incident, August 2024. https://www.inside-it.ch/schweizer-industriekonzern-hoerbiger-von-ransom%C2%ADware-getroffen-20240822 
• Comparitech, Worldwide Ransomware Roundup: 2025 End-of-Year Report (Jan 2026); Check Point Research, 2025 manufacturing ransomware analysis. https://www.comparitech.com/news/worldwide-ransomware-roundup-2025-end-of-year-report/ 
• gfs-zürich / Mobiliar / digitalswitzerland, via kmu.admin.ch, "One in 25 businesses hit by a serious cyberattack," Nov 2024. https://www.kmu.admin.ch/kmu/en/home/new/news/2024/one_in_25_businesses_hit_by_a_serious_cyberattack.html 
• Anthropic coordinated-disclosure dashboard (red.anthropic.com), figures as of 22 May 2026. https://red.anthropic.com/2026/cvd/ 
• NIST, June 2026 publication on the limits of AI guardrails and the shift to continuous monitoring and resilience. https://www.nist.gov/news-events/news/2026/06/nist-mathematical-proof-supports-transition-continuous-monitor-and-update