New research reveals bot attacks cost companies the equivalent of over 50 ransomware payouts every year while remaining undetected for four months. Here’s how to protect your business
The financial impact of malicious automated attacks is greater than ever, according to new research.
The average bot attack costs each company $85.6m, according to the study by Netacea, the bot detection and response specialist.
This is the equivalent of over fifty average ransomware payouts, or the 8th highest ever GDPR fine - every single year.
The research also found that most bot attacks now come from Russia and China,
The report surveyed 440 businesses with average online revenues of $1.9bn across the travel, entertainment, e-commerce, financial services and telecoms sectors.
72% of those surveyed had suffered attacks originating in China and 66% from Russia.
Overall, over half (53%) of all bot attacks came from these two countries with Russian threats increasing by 82% in just the last two years.
“One explanation for the success of threat actors is that they are evolving their attacks”
Rob Black, lecturer in information activities at Cranfield University said: “Economic coercion, in today’s age, doesn’t need to be the physical blockading of ports with gunboats.
”Instead, it can be the manipulation of markets or the slow bleeding of wealth from organisations not aligned with the hostile actors’ objectives.”
Cyril Noel-Tagoe, principal security researcher at Netacea, added: “One explanation for the success of threat actors is that they are evolving their attacks, with API-based incidents now reported by 40% of businesses,
“Simultaneously, the targeting of mobile apps has also gained prominence—surpassing web-based attacks for the first time as attackers seek to exploit less fortified avenues. With more businesses using APIs and mobile apps, it presents a larger threat surface.”
The risk of complacency
The research found that the average business loses 4.3%, or $85.6m, of online revenues every year due to the volume of attacks now being enabled by malicious automation.
This is more than double the financial impact in 2020, when the average cost was just $33.3m per business.
Bot attacks take businesses four months to detect on average.
Such long dwell times compound business impact by giving sophisticated bots a lengthy opportunity to harvest value from companies.
Almost every organisation (97%) reported that it takes over a month to respond to malicious automation threats.
“The cumulative effect of these attacks is wiping tens of millions of dollars in value from online businesses”
99% of businesses that admitted being attacked by bots also said they had noticed rising threat volumes over the previous year - with the top three attack types being Sniping, Credential Stuffing and Scraping.
Gift Card Fraud also emerged as a fast-rising attack type, with over ¼ of companies saying they had seen a significant increase in this threat.
Andy Still, co-founder of Netacea, said: “Big ransomware attacks and GDPR fines grab headlines, but what we’ve uncovered is more insidious, and far more costly to businesses - what we’ve called ‘death by a billion bots’.
“The cumulative effect of these attacks is wiping tens of millions of dollars in value from online businesses, not to mention the effect on their reputations and operations, yet this activity is low-key enough to remain undetected for months.
“With the fastest growth seen in countries where there is little chance of law enforcement, businesses can only expect these attacks to increase in number.”
How risk managers can minimise the threats
It’s important, first of all, to understand the scale of the issue.
Bot attacks often go unnoticed, with the cost of the problem spread across multiple departments and “hidden in the numbers”.
The impact tends to be far worse than many realise, and this means the problem needs to be a board-level discussion alongside ransomware attacks and data breaches.
”Businesses need sufficiently intelligent AI-driven defences in place if they want to avoid death by a billion bots.”
Still said: ”Businesses need to know how these attacks are affecting them and how they are changing - are attackers shifting to mobile apps and APIs as our research suggests? How much is being lost to bot attacks? Is it getting worse?”
The best protection is a dedicated solution. Some security packages come with bot mitigation as an add-on, but this protection is often crude and today’s sophisticated bots are designed to work around, for example, basic rate limits.
Still added: ”Businesses need sufficiently intelligent AI-driven defences in place if they want to avoid death by a billion bots.”