Bayer is transforming its security awareness training to better address AI-driven threats in the pharmaceutical sector, as highlighted by Kevin Jones, the company's Chief Information Security Officer (CISO), at Infosecurity Europe 2026.
In a significant shift, Bayer has moved away from traditional technical training methods, which often focused on identifying basic red flags like spelling errors or suspicious links. Jones emphasized that these tactics have become obsolete due to sophisticated AI-generated attacks. Instead, the company is adopting a psychology-first approach, training employees to recognize psychological manipulation and encouraging them to critically assess situations before acting.
This new mandatory training has already proven effective; Jones recounted an incident where a staff member received a convincing call that could have led to a financial loss, but thanks to the training, the situation was reported, and no money was transferred. This illustrates how understanding adversary psychology can empower employees to act as a frontline defense against social engineering attacks.
Moreover, Bayer has tied access to its internal AI platforms to the completion of these training modules, creating a structured model that incentivizes staff to engage with the training. This approach not only enhances security but also enables the tracking of employee competence in AI usage. Looking ahead, Jones envisions a future where security operations teams will evolve from manual processes to more automated, AI-assisted workflows, redefining the role of Security Operations Centers (SOCs) into cyber resilience centers.
Finally, Bayer is reinforcing its commitment to AI governance by requiring third-party suppliers to complete similar training and adhere to updated procurement contracts that specify AI usage transparency. This strategic alignment aims to ensure that all partners meet high standards for data security and responsible AI deployment.