Netacea: Businesses lose up to $250M every year to unwanted bot attacks

Bots are costing businesses, on average, 3.6% of their revenue, according to a new report from Netacea. On average, it takes enterprises three months to identify that a bot attack has occurred. This failure to detect and stop attacks is due, at least in part, to the lack of a unified approach and shared language in the bot community and a lack of understanding around the methods and motivations behind bot attacks. The absence of methodology and framework has left the door open for threat actors to continue to carry out attacks. As long as this problem remains, bots and their operators will have the upper hand.

Over half of all web traffic is made up of automated bots. This is often seen as simply an interesting fact, but bots are causing real harm to businesses — often to the tune of millions of dollars.

The events of the last eighteen months have seen every business in every sector rethink how they operate. Some sectors have been hit more than others, but no business has been immune. The travel sector has been among those worst hit, but a faltering economy means that even those sectors that might benefit from extended lockdowns — such as online entertainment — are at risk from worries about disposable income.

In these circumstances, the last thing any business needs is to see its revenue squeezed even further. Unfortunately, the shift to online has only encouraged bot operators. In 2020, two-thirds of businesses detected website attacks, just under half had their mobile app attacked, and a quarter — mostly financial services — saw bots attempt to compromise their API. Many businesses are operating at razor-thin margins, and bots are costing them 3.6% of their revenue.

For 25% of the businesses surveyed in this report, that’s a quarter of a million dollars lost.

Our survey also reveals that every sector is facing this problem, though the type of bots and where they are attacking may differ. The biggest problem for most businesses are account checker bots that use breached passwords to take over accounts through credential stuffing, though sniper bots, scalper bots and scraper bots are not too far behind.

One of the biggest surprises is where these attacks are originating. Bots, attackers and customers are often from the same parts of the world unlike, for example, DDoS attacks. There is perhaps a certain confidence among bot operators that they are unlikely to be detected and caught, and so there is little risk from operating in countries within reach of the authorities.

A common theme concerning all of the cybersecurity industry right now is not just attacks, but the length of time between attacks and their discovery. In the case of some high-profile attacks, there have been months between the incident and the realization that something is wrong, meaning hackers have free rein the entire time. Bot attacks follow this pattern, with around 14 weeks between attack and discovery.

Businesses are aware that bots are a problem and understand the effect they are having on customer satisfaction and their already-squeezed profit margins. The problem they face now is turning this awareness into action. With only 5% of security budgets allocated to the problem, changing this may prove difficult.

Read the full report from Netacea.