When “Good Enough” Bot Protection Negatively Impacts the Bottom Line

Lending support to the business impact of bots we discussed in a webinar a few weeks ago, Google has released the results of a survey performed by Forrester, further quantifying the true impact malicious bots have on an organization. Driven by a global pandemic that drove most businesses to move online or fail and a parallel increase in highly sophisticated malicious bot activity, organizations are realizing that bots are impacting all aspects of the business.

Negative Business Impacts

To some, this information is nothing new – bots have always had an impact on the business. What is new is the extent of the impact, which has now reached the executive levels of visibility. The report documents that organizations have seen revenue losses as high as 10%; increased employee frustration due to time spent responding to an attack, as opposed to doing their job; poor decision making due to skewed marketing and sales analytics; and the negative impact on the customer who is unable to buy the high-in-demand item.

These data points are consistent with what we are seeing in our customer environments. Bots are driving up IT costs as the ops team scales infrastructure to handle increased volume during an attack. Web and mobile app teams are experiencing outages or slowdowns due to attack volume. Retailers are experiencing higher bank transaction expenses caused by higher volumes of gift card balance checks due to sophisticated gift card fraud attacks.

Customers are frustrated and sharing their experiences widely. Shoppers are forced into a “waiting room” for hours by CDN-based queueing because the prevention offering cannot scale, to slow websites due to embedded JavaScript and high volume (bot) traffic, disabled mobile apps and entire regions and organizations of IP addresses blocked – all in a futile effort to enable a real human to execute a transaction. Social media is jam-packed with negative customer experiences. Survey respondents agree that their customer is of paramount concern. Not mentioned in the report but documented widely, losing a customer is a loss amplified by up to five times – the revenue PLUS the cost of acquiring a new replacement customer.

Good Enough Security Is Insufficient

In this case, the term “good enough” is not a criticism of the decision to buy or implement the existing bot solution, be it a WAF, home-grown, a CDN or a mix of all three. At the time, the decision was correct. However, times and technology have changed – the report validates that only 19% are currently using a full bot management system and a mere 26% of the survey respondents agree that their organization is sufficiently prepared to detect and defend against today’s new, advanced bot attacks.

Advanced attacks like price and content scraping mentioned in the report are left unaddressed by roughly 85% of the respondents, yet 73% are impacted by it on a weekly basis. And 63% report losing between 1% and 10% of their revenue to web scraping attacks alone. Many businesses focus on the types of attacks most commonly in the news (Account Takeovers, Credential Stuffing, Fake Account Creation) rather than the attacks that can cause the most damage to their bottom lines.

Not discussed directly in the report, but certainly implied and a pattern we have observed, is the fact that bots have become big business in and of itself – particularly in the world of automated shopping bots. As we discussed in our Bots-as-a-Service blog, bot vendors have evolved from scripts on the dark web to “legitimate” businesses. These full-service offerings are complete with marketplaces that enable the purchase of bots for specific targets, full product support and GitHub repos for new features and releases. Validating the increases in both volume and success, the report points out that over half of all retail businesses report experiencing a revenue loss because of bot attacks. Underneath the covers of the new generation of bots is everything you need to launch an attack:

• Tools that include pre-built configs, packaged solutions for all CAPTCHAs (including Google reCAPTCHA), and reverse engineered JavaScript/mobile SDKs from the various bot prevention offerings.
• Bulletproof Proxy vendors that supply an infrastructure of millions of high-quality, residential IP addresses that can be used to mask identity and location, making the malicious transactions appear legitimate.
• A regularly refreshed cache of stolen credentials that frequently use weak or repetitive passwords.

Increased Investment to the Rescue? 

For beleaguered security, fraud and e-commerce teams spending too much time chasing attacks, the report has positive news – 75% of decision-makers have noted that they expect to invest more in bot management over the next 12 months than they have in the past 12 months. And C-level executives are on board: Only one-third of organizations anticipate an executive team roadblock, meaning that for two-thirds of organizations, the C-level is ready to back these investments. The end goal of the investment is to improve security and detect threats – perhaps reducing the days spend investigating an attack to hours or perhaps minutes. Improving CX was the third most highly rated priority for business leaders, an effort that ties directly to the goal of improving bot management: As you improve your organization’s ability to detect and respond to bot attacks, your customers have a better experience navigating your site. The report goes on to recommend including all e-commerce-related teams – break down the silos by engaging with application security, operations, fraud, commerce, and marketing – all of whom are impacted by bots.

Five Ways Cequence API Spartan Can Help

If you’re one of the organizations looking to make an investment, then you should check out Cequence API Spartan, a dedicated bot mitigation solution that differentiates itself from others in these five ways:

1. No Application Integration Required: Using CQAI, a patented ML-based analytics engine, API Spartan begins protecting all web app and APIs as soon as they are deployed – eliminating the impact that JavaScript and mobile SDK integration have on development teams.
2. Unmatched Breadth of Attack Coverage: CQAI’s Behavioral Fingerprinting prevents the broadest set of attacks, including attacks targeting APIs, scraping attacks, and highly sophisticated automated shopping bots.
3. Consistent Protections for APIs: APIs cannot be instrumented by JavaScript or an SDK which means competitors will often try traffic redirects, cookie insertions, or volumetric analysis to protect APIs – all of which are cumbersome and relatively ineffective. CQAI’s Behavioral Fingerprinting tracks users as they move across your endpoints.
4. Not a Black Box: Other bot tools are closed. Cequence provides a rich user interface with powerful analytics, reporting and automation tools that allow you and your team to respond quickly to any malicious bot attack in minutes, not weeks as the report points out. REST APIs enable data to be exported to other security tools like SIEMs, SOAR, or anti-fraud. APIs also allow you to import data to enhance your findings.
5. Deployable Anywhere: Some tools have limited options, requiring workarounds. The Cequence platform is Kubernetes-based and can be deployed as a SaaS, in your data center, the cloud, or a combination thereof.

If you’re looking to improve your bot prevention and your bottom line, drop us a note and we’ll give you a demo to show you what we can do. Request a demo.