Manufacturing & Logistics
Your biggest security risk isn't on the floor. It's in accounts
Security support for NZ manufacturers, food processors, and logistics operators — built for the phishing email that reaches the production line, the legacy controller no one can patch, and the customer questionnaire that turns into a deal-stopper.
Sector Reality
The question a customer or insurer asks before the deal
It rarely starts with a breach. It starts with an upstream parts supplier asking whether OT can be proved segregated from the office ERP
Waiting costs more on the shop floor. A supply-chain audit becomes a suspended export order. An insurer questionnaire becomes a ransomware exclusion on the factory-floor policy. A customer certification question becomes a failed ISO 9001 surveillance. Every shift of unplanned downtime outlasts the time the answer would have taken
Common Pressure Points
Where the questions cluster before the deal lands
Where the insurer, the parts supplier, the ISO 9001 auditor, and the factory-floor OT team all want different views of the same control
Monday's email attachment reached the production line by Monday afternoon
A phishing email lands in accounts on Monday morning. By afternoon the ransomware has moved through the flat office network onto the central ordering system, and by the time production notices, the line controllers can't reach the recipe server. Twelve hours of lost production. The bad email and the plant outage are the same incident.
The workstation driving the mixing line runs Windows 7. It can't be patched
Commissioned in 2011, running vendor-locked software where the patches stopped landing in 2020. Replacing it means three days of downtime and six figures. Meanwhile it sits on the same network as your office PCs. Every ransomware campaign that finds it is one that could walk your operation to zero.
Your largest customer just asked for your ISO 27001 certificate. You don't have one
The supplier questionnaire came in on Friday. It asks for your ISO 27001, your incident response plan, your subprocessor list, and your vendor management approach. The deadline is two weeks. The account is worth more than the rest of your export customers combined. And none of the answers are ready.
Every product design sits on one engineer's laptop. He retires in six months
Formulations, calibration files, and three years of customer-specific variations live on the senior engineer's personal setup. He's retiring in half a year. Nobody knows what's on there that isn't also somewhere else, and nobody has the authority to stop him emailing files to his private address.
Standards That Apply
The evidence that ends the questionnaire loop
Common obligations and buyer expectations
Relevant Services
First month: baseline, ownership, and one piece of evidence
The first move: an OT-aware control baseline, a tested incident response for production downtime, and one piece of evidence for the next supply-chain audit
Stop Guessing When A Buyer Asks How Secure You Are
See where the business is exposed, what matters first, and what should be fixed before the next review, buyer question, or renewal lands.
Track The Suppliers That Could Expose The Business
Track supplier security risk in one place so onboarding, renewals, and exceptions stop living in scattered emails and spreadsheets.
Run The First Hour Of An Incident Without Winging It
Give the team a usable response plan for the incidents most likely to hurt the business, before the first real incident hits.
See What Information Runs The Business
Know which information loss would hurt first, who owns it, and where it sits before security, privacy, or continuity decisions get made in the dark.
Pass The Insurance Renewal Without A Three-Week Scramble
Prepare the business for cyber-insurance applications and renewals with clearer control evidence, cleaner questionnaire answers, and fewer surprises from underwriters.
Stop Maintaining Policies Nobody Actually Reads
Put the policies the business actually needs in place, keep them current, and stop policy work turning into an annual scramble.
Questions We Hear
The questions every discovery call opens with
We're a mid-size manufacturer — can we justify the cost of security support? +
Manufacturing is the number-one most-targeted sector globally for ransomware, with attacks surging 61% year-on-year. Firms face an average of 28 days operational downtime and $1.3 million USD in recovery costs following an attack. Even a fraction of that impact dwarfs the cost of structured monthly support. Support starts from $1,750 a month — less than the cost of a single day of unplanned production downtime for most NZ manufacturers.
Our IT team handles our cybersecurity — why do we need more? +
Your IT team manages your corporate network and business systems. But operational technology, IP protection, supply chain oversight, and customer compliance requirements sit outside that remit. When ransomware moves from your email server to the production line, the response needs coordinated decisions across IT, OT, operations, and leadership — not just IT troubleshooting.
We haven't been targeted — why invest in security now? +
Manufacturing is the most-attacked sector globally for ransomware, with attacks surging 61% year-on-year. Attackers target manufacturers because production disruption creates immediate pressure to pay, and IP has high resale value. The Mercury IT attack demonstrated that even NZ organisations that think they're not targets can be compromised through their supply chain.
What about our operational technology — can you assess OT security risks? +
Yes. Our assessments cover both IT and OT. We run structured OT risk assessments that identify vulnerabilities in production systems, SCADA controllers, and industrial sensors without disrupting operations. The focus is on practical compensating controls, network segmentation, and ownership structures that account for the reality of legacy systems that can't be patched.
What Usually Happens Next
Cut the chance that one Monday email becomes Wednesday's production outage
If downtime, customer questionnaires, or a legacy controller you can't patch is already weighing on the ops meeting, we'll help you decide which segmentation, which evidence, and which ownership gets sorted first — without pretending the plant can stop for a day of paperwork.