New research from Macrium Software reveals that increased spending on cybersecurity in the manufacturing sector may be misplaced and could lead to a false sense of security for manufacturing organizations. Findings suggest that while cyber threats remain a serious concern, they are only directly responsible for 5% of production outages, while the majority of downtime, costing up to $100,000 per hour, is caused by a widening “recovery gap” – the ability to recover from internal operational failures such as network errors, configuration loss or change, or planned maintenance gone wrong.
That is according to a new 2026 study by Macrium in partnership with research agency Newton X. The study, which surveyed verified IT and OT decision-makers from manufacturing organizations across the United States, Canada, and the UK, closely examines how manufacturing organizations approach system protection, backup, and business continuity strategies.
High-profile incidents such as the widely reported ransomware disruption at Jaguar Land Rover have underscored how severe cyber-related downtime can be when it occurs, often shutting down entire plants and supply chains. As a result, cybersecurity investment has become a dominant focus for many manufacturers.
However, Macrium’s research suggests this narrative masks a different day-to-day reality on factory floors. While nearly three-quarters (74%) of manufacturers experience downtime at least annually, and almost half of North American manufacturers and over a third in the UK estimate losses exceeding $100,000 per hour, cyberattacks and ransomware account for just 5% of primary downtime causes. Instead, outages are far more commonly driven by operational and environmental failures, led by planned maintenance gone wrong (18%), configuration loss or change (16%), and network failures (16%).
“Cyber incidents tend to dominate news cycles, because when they do occur, they can be highly disruptive,” said Dave Joyce, CEO at Macrium. “But our research shows that, day to day, manufacturing downtime is far more likely to stem from routine operational failures and an inability to get things back on track smoothly and swiftly. Organizations that focus too heavily on prevention alone risk overlooking the recovery capabilities that ultimately determine how quickly production can resume – whether the cause of downtime is internal or external.”
The study highlights a “recovery gap” – a growing imbalance between cybersecurity investment and recovery readiness. While more than half (55%) of manufacturers experienced a ransomware incident in the past year, most attacks were successfully blocked or contained. At the same time, recovery performance remains inconsistent: three-quarters of manufacturers report that it takes more than two hours to restore operations following an outage, costing upwards of $274,000.
The findings highlight the need for manufacturers to prioritize recovery speed and operational resilience alongside threat prevention. While cybersecurity remains essential, particularly given the scale of disruption cyber incidents can cause, investment weighted too heavily toward prevention can create a false sense of security if organizations are not equally prepared to recover quickly from far more common operational failures.
“As manufacturing environments become more complex and interconnected, resilience can no longer be treated purely as a cybersecurity issue,” added Joyce. “Backup, recovery, and regular testing must be treated as core operational disciplines rather than secondary controls. The ability to recover quickly is ultimately what protects productivity, revenue, and customer trust when disruption inevitably occurs.”
