Keep up with the latest announcements from Google Cloud Next '21. Click here.

Identity & Security

Protect against bot attacks to future-proof your business

#security

More business is done online than ever before, which means bot attacks are up and the stakes are higher and higher for businesses. In 2019, bots accounted for over half of all automated web traffic and nearly a quarter of all internet traffic. Organizations are aware of the growing increase in bot attacks and the need to defend against them. However, most organizations recognize they are not prepared to protect against bot and malicious-automated attacks. Google commissioned Forrester Consulting to evaluate bot management approaches in order to help our customers protect against online fraud and abuse. Today, we share our findings from the research, including the most prevalent attacks targeting businesses and how to protect against them. 

Businesses understand the impending threat of bot attacks, but acknowledge they are not yet prepared for them.  

In our research, we see that 84% of companies saw an increase in the number of bot attacks over the last year. The transformation of so many businesses into digital businesses due to COVID-19 increased the number of attacks; 71% of companies experienced an increase in the number of successful attacks, and 56% of companies reported seeing different types of attacks. 

Despite being aware of the rise in bot attacks, most organizations are not prepared to fend off them. Most are not using the right combination of security products to protect against bots. 78%  of organizations are using DDoS protection, WAF, and/or CDNs to manage bots; only 19% are currently using a full bot management system. DDoS protection, WAF, and CDNs are all important tools to protect web applications, but they do not sufficiently protect against bots. Bots attack an application’s business logic, and only a bot management solution can protect against that sort of threat. To effectively safeguard web applications from bot attacks, organizations must use tools like DDoS protection, WAF, and/or CDNs, alongside a bot management solution..

Organizations are also unprepared for bot attacks because they are not protecting themselves against the most important and common attacks. For example, only 15% of businesses are currently protecting themselves against web scraping attacks, yet 73% face these attacks on a weekly basis. 63% report losing between 1% and 10% of their revenue to web scraping attacks alone. On average, organizations are only protecting themselves against three different types of attacks — most commonly card fraud, ad fraud, and influence fraud attacks. Businesses need to take time to identify the most common attacks targeting them so that they can then put proper protection measures in place.

figure 2.jpg

Most businesses are currently too siloed to come together to defend against bots. 

Effective bot management relies on collaboration between many teams within an organization, including security, customer experience, e-commerce, and marketing. But on average, only two teams are involved in bot management, usually the application security and security operations teams. Yet, it’s the e-commerce, fraud, and network security professionals that most commonly consume the data from bot management tools. This disconnect can lead to the commerce or fraud teams being left out of critical bot management decisions.

Because there are so many stakeholders involved in bot management, organizations struggle to create a unified approach to deal with bots. The lack of a cohesive approach to manage and respond means that, on average, firms spend 424 hours — 53 working days — across roles resolving the situation after an attack. Consequently, this often means employee frustration is one of the biggest outcomes of bot attacks, creating even larger problems than lost revenue and customer trust. Spending almost two working months to resolve attacks means that employees spend too much time being reactive rather than proactive, and not enough time on strategic work.

figure 5.jpg

Make strategic investments and organize to protect against bot attacks. 

Your business can better protect against attacks by implementing a bot management solution and creating well-defined processes. Based on our research, here are some of our key recommendations.

You’ll want to first gather security, fraud, marketing, e-commerce, and executive stakeholders to understand your organization’s bot risk and assess your requirements for a bot management solution. To reduce employee frustration, send both weekly and supplemental reports on bot trends and particular bot incidents to all concerned parties, to show the progress you’ve made.

Next, invest in a bot management solution that can detect even the most sophisticated bots. You want a solution that can keep up with bots as they evolve, and employ a range of responses to deflect  attacks. It’s also important to prioritize your customer experience, and avoid adding friction to legitimate customer interactions. One way to do this is track false positives and customer usage metrics, and review those weekly to make sure that your bot-prevention challenges aren’t turning customers away. This will help protect your employees’ and customers’ time and loyalty. 

We also recommend that you look for solutions that give your internal teams visibility into bot traffic and enable them to respond quickly to bot attacks. You should include bots in your risk assessments and conduct quarterly reviews of the content, products, and services that could make your applications vulnerable to attack. In addition to gaining better visibility into threats, this will help you track the number of bot incidents and internal response costs to see if your bot management implementation is reducing the number of incidents and the time your team spends in remediation.

To learn more about this research and how to apply best practices, read the study and watch our webinar on demand.