Cybersecurity

Why Bayer Chose BitSight

Ewen O'Brien | November 13, 2019

Companies must build a “trust and verify” strategy when it comes to managing third party risk. Requesting documentation about a supplier’s security performance is good – but how can you verify it? How can you continuously review performance?

These are important issues facing organisations today and the bottom line is that organisations can follow every best practice in the cyber security book— but their third parties must follow through with the same security obligations so that the supply chain is protected from risk. Companies must continuously assess and review the security posture and performance of all partners, in order to gain visibility in the changing threat landscape, and to prioritise risk-mitigating actions. As vendor ecosystems continue to expand, the importance of having the tools in place to analyse third, fourth and even fifth-party risk, has never been higher than it is today.

But where do you start?

A good approach is to tier your third parties based on criticality – prioritise your efforts with those who have access to the most sensitive data or are providing the most important services. To get immediate insight, leverage publicly available data contained in a security rating, for example – it will give you broad and deep insight into a variety of risk areas. Realise that it is not just third-party risk that creates issues – partner with your third parties and leverage data and automation to get a better understanding of the 4th, 5th, and Nth party risks.

This is exactly what Bayer, one of the largest life science companies in the world, has just done. Headquartered in Leverkusen, Germany, Bayer is a global enterprise with core competencies in the Life Science fields of health care and agriculture.

This involved the organisation kicking off a programme to streamline the work they were doing to better understand the cybersecurity posture of these vendors. Bayer considered different solutions like sending out questionnaires or audit and concluded those methods requires a substantial internal effort which needed to be narrowed down only where substantial risks lies. Bayer realised that addressing its top vendor ecosystem coupled with a dynamic, automated and continuous method of obtaining data would be the most efficient solution.

It therefore approached BitSight with a view to using our security ratings platform.  Issuing daily ratings that are akin to a credit score for security, we help companies flag not only their own risks but also those of the companies they do business with, such as vendors, partners, suppliers and acquisition targets.

The BitSight platform provides Bayer a rating between 250 and 900, which is continuously updated based on the data observed; the higher the rating, the better the vendor’s security posture. This programme has now commenced and will be evaluated after six months, but the team at Bayer is convinced that they will quickly see the benefits.  

Using the BitSight platform Bayer now has data-driven, dynamic measurements of the cyber security performance of its third-party vendors.  This data is derived from objective, verifiable information providing material and validated measurements.  This will give Bayer the confidence to make faster, more strategic cyber risk management decisions.

bitsight security ratings report

Suggested Posts

More Security Tools Hinder Response Efforts: Better Planning Pays Off

The global cybersecurity market is currently worth $173 billion and expected to grow to $270 billion by 2026. Yet as organizations invest more in security technology, a new global survey by IBM Security and the Ponemon Institute suggests...

READ MORE »

Protecting Sensitive Data: 4 Things To Keep In Mind

The content in this piece was originally published by BitSight in April of 2017. This updated version includes current information about BitSight, our security rating and third-party monitoring software, and the cybersecurity space.

Given...

READ MORE »

Russian Hackers Validate BitSight WFH Data

This week the New York Times released a report warning that a group of Russian hackers going by the name “Evil Corp” has been attempting to exploit the rampant vulnerabilities presented by the US workforce shifting to working from home at...

READ MORE »

Subscribe to get security news and updates in your inbox.