Are Businesses Unprepared to Fight Bot Attacks?

Businesses know bots present a big threat to their security and sensitive data. But they’re not doing nearly enough to mitigate the problem, according to new research from Netacea, which looked at data across the travel, entertainment, e-commerce and financial services sectors.

The survey found a high awareness of how bot attacks could negatively affect a business, with over 70% of businesses acknowledging that they are aware of the most common bot attacks including credential stuffing and card cracking. And, in fact, 76% said they have suffered a bot attack.

But the research, titled “The bot management review: The challenge of high awareness and limited understanding,” also found those same businesses said only 15% of their web application resources are taken up by bots. The researchers say this indicates companies are unprepared to tackle the bot problem. 

With over half of web traffic today generated by bots, this implies that businesses are unaware of a great deal of the bot traffic on their sites,” said the firm in a statement on the research.

The survey also said businesses are not aware of the dark market sites where their customers’ usernames and passwords can be bought and sold, with only 1% of respondents saying they are familiar with them.

Who’s Responsible for Fighting Attacks?

This lack of visibility may be the result of a “pass the buck” mentality, according to Netacea. The research found only 1 in 10 businesses say that bot mitigation is the responsibility of a single department or person. Almost two-thirds said it is the responsibility of four or more departments, “making passing the problem along—or even ignoring it completely—much more of a possibility,” according to the firm.

Harish Siripurapu, founder of security consultancy Cyber Align, said he thinks some organizations could be confused simply because of the type of attacks typically seen with bots.

“The fundamental problem is that credential stuffing attacks are a gray area between cybersecurity and fraud. Compromising a customer’s account using credentials available in the Dark Web is fraud and account takeover, not necessarily a cyberattack,” he said. “Even in companies where a CISO is made responsible for e-commerce security, fraud and scams such as account takeover, are not typically managed by the CISO. Bot detection technologies don’t get on a security road map. Hence, there is no visibility and awareness.”

On the other hand, DDoS attacks, another kind of bot attack, do have the attention of the CISO in most organizations, noted Siripurapu.

Credential Stuffing: The Leader in Bot Attacks

These days, credential stuffing is one of the best-known attack methods deployed by criminals using bots. The most recent Verizon Data Breach Investigations Report (DBIR) from 2019 finds credential stuffing was used in 29% of all data breaches.

“Credential stuffing has been recognized as the No. 1 security threat in the world for a couple of years now, and has been rising steadily since the term was coined in 2011,” said Shuman Ghosemajumder, head of global AI at F5.  “In any case, measuring bot activity is challenging, and my recommendation to security teams who want to detect bots as accurately as possible would be simply to use the best technology you can afford. Just as different analytics products will count users differently, we have found that most bot detection technologies have both false positives and false negatives when it comes to detecting very sophisticated bots.”

Netacea noted that its survey found nearly all businesses were either investing in, or planning to invest in bot management, and almost none were cutting back on such technologies.

Avatar photo

Joan Goodchild

Joan is a veteran journalist, editor and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

joan-goodchild has 37 posts and counting.See all posts by joan-goodchild