Bayer has fundamentally redesigned its security awareness program to address AI-powered social engineering attacks that bypass traditional detection methods. The life sciences company eliminated technical guidance focused on spotting spelling errors, suspicious URLs, and malformed attachments after recognizing that modern AI tools generate flawless phishing content in multiple languages at scale. Instead, the mandatory training now teaches employees to recognize psychological manipulation tactics, question authority claims, and pause before breaking established processes.

The strategy's effectiveness was demonstrated when Bayer's CFO for Europe, Middle East and Africa received a convincing deepfake voice call from someone impersonating the global CFO requesting an urgent weekend money transfer. Staff members followed the new behavioral protocols, reported the incident, and prevented any financial loss. CISO Kevin Jones cited this incident as proof that psychology-focused training can transform employees into an effective first line of defense against increasingly sophisticated attacks.

Bayer has implemented a tiered access model that links AI competency to platform permissions. Employees must complete small, role-based training modules before accessing myGenAssist, the company's internal generative AI platform, with additional requirements for those building automated agents. This gated approach incentivizes training completion while allowing security teams to track data usage patterns across the organization.

The company is extending these requirements beyond its workforce to third-party suppliers. Updated procurement contracts now include AI-specific security annexes requiring vendors to disclose how they use Bayer data, which AI tools they employ, and to report security incidents. Suppliers must also complete AI training before receiving tiered access to Bayer's internal platforms. An internal AI Governance Council sets standards that external partners integrating with Bayer's AI ecosystem must meet, with contract changes rolling out to major partners now and across the full supplier base over 18 months.

Jones also outlined plans to transform Bayer's security operations center from manual triage to supervised automation within two to three years. He expects SOC analysts to shift from hands-on intervention to oversight roles as agent-assisted processes scale, requiring new operational playbooks and training. Jones suggested reframing SOCs as cyber resilience centers capable of making controlled environmental changes to maintain security posture in an AI-driven threat landscape.

Source: https://www.infosecurity-magazine.com/news/bayer-reinvents-security-awareness/