Crystal Ball 2025: Now’s the time to strengthen your company’s cybersecurity compliance

A note from Scott Achelpohl, managing editor, Smart Industry:

Welcome to the Crystal Ball Report for 2025, which will appear in this web space the rest of December and into January as a series of contributed pieces from esteemed experts in manufacturing technology.

We've invited these thought leaders to look into their "crystal balls" and tell us what's ahead (with an emphasis on data, AI, and cybersecurity—which will be a particular focus of Smart Industry's in the new year).

So please enjoy the series and, from all of us at SI, have a happy and safe holiday season.

As we look toward 2025, cybersecurity compliance will become central for manufacturers, reshaping the way companies protect themselves and gain a competitive edge in their partnerships.

Smart Industry podcast featuring Joe Anderson: Tighter cybersecurity starts with better password practices

eHandbook: Cybersecurity

Cybersecurity isn’t just for the IT team, it demands a whole-company effort, from leadership to the supply chain and beyond. With risks popping up in everything from supply chain vulnerabilities to data breaches, businesses are feeling the pressure to make cybersecurity a companywide focus. Manufacturers will need to be proactive, treating cybersecurity as a core part of their operations.

Small manufacturers are large target for cyberattackers

Attacks on manufacturers are up across the board, affecting both big players and smaller suppliers. Smaller manufacturers, particularly those working with larger companies, often think of themselves as "the little guy" and believe they won’t be targeted. However, threat actors often view them as easy access points into larger networks.

Direct access to sensitive data or critical systems poses a significant risk, as one weak link can lead to broader breaches. Putting strong security measures in place is challenging, particularly for small manufacturers with limited resources, both in terms of budget and technical expertise.

As a result, more manufacturers are turning to recognized cybersecurity standards to strengthen their defenses. Manufacturers will need to turn to frameworks like NIST or ISO 27001 to help drive security and align security with the business operation in a more systematic way.

More of what's to come in the Crystal Ball Report for 2025:

Insights on 2025 from conversations with manufacturers, by Josh Cranfill, Quickbase
AI, automation, and insider threat detection, by Chris Scheels, Gurucul
Business leaders should look inward to identify what they can control, by Michael van Keulen, Coupa
Cybersecurity trends that will reshape private content security, by Patrick Spencer, Kiteworks
Configurability, modularity, and AI: The 2025 challenges, by Damantha Boteju, Henrik Hulgaard, and Daniel Joseph Barry, Configit
IT and OT convergence will be cybersecurity stress test, by Aron Brand, CTERA
2025 prediction thread, by various authors
Your opinion counts: Results from SI's reader poll on 2025, by Scott Achelpohl, Smart Industry

In the past, companies would rely on “self-attestations” to vouch for their own security, but that’s not enough to meet the challenges of today’s landscape. Now, third-party verification has become the standard to make sure cybersecurity promises hold up. Manufacturers that want access to lucrative contracts will need to adopt better security to protect their and their customers’ data.

Going forward, manufacturers aiming for top contracts will be expected to adopt a rigorous security posture, protecting both their operations and their customers’ data. The following are a few examples of compliance requirements to be on everyone’s radar for 2025.

CMMC: Tougher rules for defense contractors

U.S. Department of Defense (DoD) contractors have been gearing up for the cybersecurity maturity model certification (CMMC) for the better part of a decade now, and it’s finally expected to launch soon. This new requirement will apply to all suppliers working with DoD, affecting both primary contractors and subcontractors.

The DoD has issued two new rules to make this happen: one officially establishing the CMMC program and certification part, and another requiring CMMC standards to be included in defense contracts. This shift means that suppliers that want to keep DoD contracts will have to meet these standards, so companies are moving quickly to prepare.

Delaying compliance may leave contractors struggling to keep up as CMMC requirements become non-negotiable. Given the time-intensive nature of CMMC preparation—up to 28 months for some—early action can be a decisive advantage.

Contractors without certification won’t qualify for new contracts or contract renewals, and misrepresentation can trigger severe penalties under the False Claims Act. The fines are significant and may include the loss of current and future contracts. Notably, whistleblowers can receive a percentage of the penalties and damages, making this a critical area for honest reporting.

Automotive sector: TISAX sets the standard

By 2025, the Trusted Information Security Assessment Exchange (TISAX) will continue to solidify its position as the cybersecurity standard for automotive cybersecurity with more suppliers requiring mandatory third-party audits. Since 2017, TISAX has been the go-to cybersecurity standard across the automotive supply chain. TISAX has set specific security requirements for suppliers, and the ENX Association oversees verifying certifications.

For new suppliers looking to work with automakers, meeting TISAX standards is often expected from day one. A security gap anywhere in the supply chain could put entire networks at risk.

Many new suppliers start with a risk assessment to pinpoint any security gaps, then work with third-party experts familiar with TISAX to help close those gaps and make the certification process smoother. TISAX certification lets automotive suppliers show they meet high-security standards, which strengthens their credibility.

Cyber insurance: Requirements are rising

In 2025, manufacturers will likely see even tighter requirements as insurers demand stronger evidence of security measures. Companies without these protections may find premiums going up, and in some cases, coverage even being denied.

Recovering from a data breach is costly, so insurers are looking for companies to put protections in place that help keep risks low. This shift is leading more manufacturers to establish formal security controls to help them qualify for cyber insurance and boost their overall security.

Not too long ago, cyber insurance requirements were simple. But now, insurers want to see companies using better controls like multifactor authentication, advanced endpoint protection, and a robust incident response plan. We foresee insurers continuing to raise requirements for security measures.

Without these practices in place, businesses will find it harder to get insurance coverage or will struggle to afford comprehensive coverage. This trend toward documented technical protections, policies, and plans is set to continue, as insurers seek assurance of comprehensive, formalized security measures.

Moving from self-certification to third-party verification

In 2025, more industries will insist on independent verification, leaving self-certifications behind. In the past, companies could simply say they were compliant, but this approach would often miss critical gaps. Now, more industries want companies to get independent verification to make sure their cybersecurity practices hold up.

More manufacturers will find that third-party verification not only supports compliance but also signals credibility, an increasingly valuable asset as clients and partners prioritize verified security.

For manufacturers, this level of assurance has become more important as clients start to rely on verified security practices over self-reported ones. For many manufacturers, third-party assessments will become not only a compliance measure but also a competitive advantage in attracting new business.

New compliance standards in contracts

In the coming year, manufacturers can expect a rise in client-specific security standards within service contracts, making compliance a core requirement. This trend means manufacturers are often required to meet a range of client-specific security standards.

For companies that haven’t yet formalized a compliance program, these contract requirements are often the push they need to get one in place. Compliance will become a make-or-break requirement in manufacturing contracts.

While firewalls, multifactor authentication, and endpoint protection are all critical, real compliance requires more than just technology and spans the entire operation.

It takes a companywide approach, beginning with leadership buy-in, where employees understand security, policies are kept up-to-date, and regular audits are conducted to catch any weak points. We anticipate that formal governance, risk, and compliance (GRC) programs will become common, especially among small and midsize manufacturers, who will need these strategies to meet contract standards.

While there is investment involved in improving and maintaining security controls, this will net more in preventing or otherwise reducing the impact of an attack.

By embracing GRC programs and adapting to these new contractual standards, manufacturers can turn compliance from a cost into a strategic investment, positioning themselves as preferred partners in a security-conscious industry.

By preparing for these changes, manufacturers can use 2025 not just to meet compliance standards but to stand out as leaders in resilience, trust, and cybersecurity.

See also: The 2024 Crystal Ball Report