Businesses underestimate negative impact of bot traffic

Business leaders say about 15% of their web application resources are taken up in dealing with the impact of automated bots on their organisations – but half of traffic on the world wide web is now thought to be generated by bots. So it is clear that many are vastly underestimating the impact on their organisations, according to new research by Netacea, a specialist in bot detection and mitigation.

Working with b2b researchers Coleman Parkes, Netacea quizzed 200 organisations to try to understand awareness and understanding of this issue, and found that business leaders tended to be highly aware of how bots impact the cyber security of their organisations through, for example, credential stuffing and card cracking attacks, or even just scraping openly-available data, but they were largely unaware of just how much traffic to their websites is generated by bot activity.

“Current circumstances mean that businesses are relying on their online presence more than ever before,” said Netacea CTO Andy Still. “This also means more opportunities for online criminal enterprises looking to increase their profits. And while the majority of businesses are not oblivious to the problem of bot attacks, the inevitable conclusion of this research is that this awareness is not leading to action.

“High-profile attacks, such as ransomware that locks down sites completely, have dominated the headlines recently, which may have led to this complacency. Bot attacks, while more subtle, can be just as devastating to a business, as accounts are stolen and sold on, card fees become crippling, and bad decisions are made on the basis of faulty data.”

Netacea said the lack of visibility around bots may come down to a lack of responsibility, with just 10% saying that bot mitigation was delegated to a single department or person. Where organisations did have a single clear bot mitigation owner, it tended to be the CISO.

However, almost 66% said responsibility was more diffuse, falling to four or more departments within the organisation, such as IT, security, website development, or even marketing. This may give people more reason to pass the problem on to someone else or ignore it entirely.

Another reason for the disconnect, said the firm, may be the conflation of bots with botnets, which are not the same thing, but are more widely understood and feared for their role in large-scale distributed denial of service (DDoS) attacks bringing down large websites.

Netacea also reported almost blanket ignorance of the wider cyber criminal ecosystem around bots. For example, just 1% were aware of the existence of dark web marketplaces that sell on stolen or compromised accounts.