Malicious bots inflict material financial costs on enterprises: Bots take over customer accounts through credential stuffing and slow web and app performance through scraping. Bots also frustrate loyal customers and prevent purchases through scalping and inventory hoarding, steal gift card and loyalty points through enumeration, and rack up chargebacks and fines by validating stolen credit card data. Ineffective bot mitigation strategies, such as CAPTCHA and excessive reliance on multi-factor authentication, create security friction. This leads to revenue loss through lower conversion rates and abandoned shopping carts.
The costs that criminals impose through bots are so varied that it can be challenging for security professionals to explain the broad economic and operational impact of malicious bot traffic to an organization’s business leaders. This white paper presents an overview of the quantitative and qualitative impacts of automated bot attacks as well as the business benefits of successful bot management. We intend this document to serve as a launching point for conversations among infosec and fraud teams and the C-Suite about the top-line and bottom-line impacts of malicious bot attacks and the significant financial advantages of effective bot defense technologies.
"Malicious bot attacks are more than a threat to security infrastructure—they represent a business challenge that must be addressed to preserve your organization’s business operations and fiscal health."
A series of new research reports have captured the financial and business consequences that result from automated attacks by bots, making it easier for security professionals to point to the fiscal impact of cybercrime and discuss the return on investment (ROI) of dedicated anti-bot solutions with business leaders. This information can help security teams elevate critical discussions regarding the economic effect of bot attacks on an organization’s financial strength.
Bots are responsible for up to 40% of global online traffic and are a leading cause of cyberattacks, according to a report from Aite-Novarica Group. According to research cited by the Global Privacy Assembly, an association of over 130 data protection and privacy regulators and enforcers, 193 billion credential stuffing attacks driven by bots occurred globally during 2020, which equates to over 16 billion attacks per month and over 500 million attacks per day. These attacks can have serious economic consequences: Global online fraud losses are projected to exceed $48 billion a year by 2023, according to a report by Juniper Research.
Successful bot management strategies lead to improved cost management, enhanced operational efficiency, reduced business and financial risks, and controlled IT spending, all helping to deliver a direct positive impact on your organization’s financial success. In addition, accurate bot detection that doesn’t rely on controls that insert user friction provides improved revenue and customer retention.
Malicious bots are responsible for a wide range of automated attacks that have direct, negative economic impact on organizations, both on topline revenue and the cost of doing business. These attacks include:
Bot management has become a boardroom conversation; following are both quantitative and qualitative metrics to help you demonstrate that the right bot strategy is now a bottom-line economic issue.
Financial, operational, and reputational costs represent the primary impacts of automated bot attacks.
Automated bot attacks can also contribute directly to financial losses and lost economic opportunities by:
Bot attacks don’t just impact revenue. They also make businesses more expensive to operate by:
Qualitative impacts may be more difficult to measure than quantitative metrics, but this does not mean they are less important to organizations. Automated bot attacks can also contribute directly to these subjective value drivers through:
The primary takeaway is that bot management is an important business topic. Protecting your apps and infrastructure from bot attacks provides tangible financial benefits resulting from:
To illustrate the financial value and impact of successful bot management, consider the following case study. A major online retailer with 31 million user accounts and an average monthly revenue per user account of $54 was attacked by malicious bots. These attacks resulted in an estimated cost of $1 million per year from resolutions of credential stuffing and ATO incidents; expenses from settlements and call center support; as well as from lost revenue during site outages from bot scraping incidents and bot traffic exploiting web infrastructure and hosting resources.
F5 and the online retailer worked together to quantify the impact of deploying F5 Distributed Cloud Bot Defense as a bot management solution using business case metrics such as cost savings, revenue uplift, and revenue loss prevention. Using an interactive business case modeling tool, F5 and the online retailer determined that deploying F5 Distributed Cloud Bot Defense would lead to savings of around $930,000 in year one, with a cumulative cost savings of nearly $4.9 million over five years.
In addition, the modeling tool projected nearly $50,000 in revenue loss prevention per year from fewer site outages due to bot traffic, with between $200,000 and $1 million in revenue loss prevented yearly from lost user accounts and customer churn attributable to poor user experience. Improved conversion rates, resulting from frictionless user experiences and customers staying on the site longer, were projected to provide an additional $1.6 million revenue uplift.
The total economic benefit derived by the online retailer from Distributed Cloud Bot Defense totaled nearly $3.6 million after the first year, with a cumulative total economic benefit after five years of almost $19.5 million.
These projections align with the financial benefits discussed in a commissioned study conducted by Forrester Consulting on behalf of F5 (discussed in greater detail below). The Total Economic Impact™ of F5 Distributed Cloud Bot Defense study found that a composite organization representative of the five decision-makers that Forrester interviewed would experience total benefits of $9.72 million over three years, with an ROI of 195%, with the implementation of Distributed Cloud Bot Defense.
Explaining how bot attacks can impact operations and metrics as they relate to specific roles and functions in an organization is an important way of presenting the value of successful bot management.
The CISO cares about information security, cost control, and ensuring that IT enables the business mission; bots impact each of these concerns.
Bots compromise each aspect of the information security triad of confidentiality, integrity, and availability. A credential stuffing bot that takes over an account exposes data that should be kept confidential. Likewise, these bots enable attackers to alter data and perform transactions, violating integrity. Scraping bots skew data as do fake account creation bots, all violating the integrity of key business metrics. Finally, scraping and scalping bots can put such an increased load on a site’s infrastructure as to make it unavailable.
Bots impact costs in many ways:
Bots also concern CISOs in that they stand in the way of IT enabling the business. Ineffective bot management, such as CAPTCHA and excessive reliance on multi-factor authentication, create friction that harms the customer experience and reduces revenue. Bots skew business metrics to such an extent that it becomes difficult to evaluate the business strategy. How do you implement a business strategy when you do not even know whom you are interacting with?
The SecOps team is charged with efficiently managing cybersecurity risks to the business, and bots stand in the way of that mission. Like the CISO, SecOps will be concerned with confidentiality, integrity, and availability, which are all impacted by bots. In addition to these shared concerns, when it comes to efficiently addressing security risks, bots pose the challenge of creating a lot of noise that drowns out the signal, hiding threats in a sea of malicious traffic.
When bots account for most of the traffic to a site, it is more difficult to analyze logs for signs of vulnerability scanning and injection attacks. And security tools such as SIEMs and intrusion detection and prevention systems will be overwhelmed, increasing costs and causing far too many false positives to investigate. When too little is normal, tracking down the anomalies becomes impractical.
Successful bot management removes the noise and enables SecOps to focus effectively on remaining threats.
Like SecOps, bots impact fraud operations teams by dramatically increasing the noise. With so many bots taking over accounts, locking out accounts, creating fake accounts, and triggering anomaly alerts, the workload becomes impractical.
When fraud and security teams work together to manage bots, each team wins. Security teams can focus on a much smaller set of security incidents, and the level of fraud is reduced so fraud teams can focus on more complex fraud cases that require their expert judgment to resolve, reducing the caseload and improving success metrics. From the fraud perspective, bots are a prelude, a means by which fraudsters gain access, and stopping bots upstream reduces downstream workload.
NetOps teams are responsible for running the infrastructure that serves the business, maintaining uptime and performance while controlling costs.
In some cases, scraping bots on e-commerce apps account for over 90% of traffic, meaning that most of the infrastructure is serving bots, wasting the bulk of the budget for infrastructure, a metric that can be made very clear in a cloud services bill.
These bots have no concern for a site’s performance or uptime and can ramp up traffic at any time without warning, causing unpredictability and higher costs to ensure the necessary scalability.
In a DevOps culture, DevSecOps takes responsibility for incorporating security into the continuous integration/continuous development (CI/CD) pipeline, ensuring rapid feedback to developers on security bugs, and continuously improving the integration of security into the technology value stream.
DevSecOps moves security to the left, making sure any gaps are planned for earlier in the workstream. Bots are relevant here because new features need to be evaluated for how bots might exploit the feature, what harm could be caused, and what measures should be taken upon deployment to prevent the harm.
DevSecOps teams are particularly concerned with telemetry. According to the DevOps Handbook1, telemetry is essential for predicting, diagnosing, and resolving problems in complex systems. For DevOps to succeed, telemetry should cover multiple layers including business metrics, feature usage, network performance, and infrastructure load so that a problem in one layer can be traced across the stack for the rapid identification of root causes.
Bots distort telemetry in a big way. Many customers of F5 Distributed Cloud Bot Defense discovered that most of their user accounts were fake and that bots accounted for over 95% of login traffic. In some cases, the bulk of an organization's infrastructure did nothing more than serve scraping bots. DevSecOps needs to remove this distortion from the telemetry if they are to serve their security mission.
It all comes down to who owns the numbers. Is the VP of e-commerce responsible for the cost of fraud, infrastructure, and chargebacks? Are those charges cutting deep into the profits of the online business? Are conversion rates and revenue impacted by security friction such as CAPTCHA? If yes, then, this VP will care very much about how bot management can improve both top-line revenue and bottom-line profits.
The same applies to the leaders of any product or service lines sold online through web or mobile apps. Seeking to maximize profit necessarily involves addressing the largest source of traffic to your apps.
Marketers have their own set of reasons for caring about bots. Bots that slow the site, take down the site, and take over customer accounts all tarnish the brand. Bots skew website analytics that marketers depend upon for decision making. And click fraud, driven by bots, drains advertising budgets without producing any revenue.
All of these business conversations need to be packaged up so the C-suite and board understand how malicious bots impact all aspects of the business. The cumulative total of cost and lost revenue may very well amount to a material impact on the bottom line that is worthy of their attention.
"If we sustain cyberattacks or other privacy or data security incidents resulting in security breaches disrupting our operations or resulting in the unintended dissemination of protected personal information or proprietary or confidential information, we could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm and other serious negative consequences.“
Bot attacks can have direct revenue impacts, waste the time and resources of security teams tasked with blocking malicious automation, and compromise the customer experience. To mitigate these consequences, F5 Distributed Cloud Bot Defense provides real-time monitoring and intelligence to protect organizations from bot attacks, without introducing user friction.
A commissioned study conducted by Forrester Consulting on behalf of F5 examined the potential ROI enterprises may gain by deploying Distributed Cloud Bot Defense. Key findings and benefits quantified in the Forrester study include:
Reduced costs of fraud from bot attacks by 30%. By moving anti-fraud processes from downstream fraud professionals to the front end, where automated bot attacks were occurring, the composite organization was able to reduce its costs of bot-related fraud by 30%. The interviewees reported reducing fraudulent account creation by 92%, improving bot blocking by 80% when no prior solution was present, and improving bot blocking by 30% when a prior bot-protection tool was in place.
Reduced costs from credential-stuffing attacks by 96%. Distributed Cloud Bot Defense saved on additional non-fraud-related costs associated with credential stuffing as well. By reducing attacks by 96% from more than 50 annually to around two annually, the composite saves more than $1.2 million each year. Interviewees noted that per-attack costs for credential stuffing could be as high as $500,000, which would equate to approximately $25 million annually.
Reduced account lockouts and their cost to support by 88%. By preventing account lockouts, the interviewees were able to improve their customer experience, reducing the time and effort customers needed to create new accounts, reset their passwords, or contact customer support. By reducing calls to customer support, the organizations were able to save on costs such as customer support labor and technology costs.
Eliminated manual bot-protection processes and reduced rule-setting work by 40%. By implementing automation from the F5 product into their bot-protection practices, security teams at the interviewees’ firms were able to save 10,000 hours annually, which were previously spent blocking IP addresses and investigating security incidents—the equivalent of five full-time employees. Additionally, these security teams saved 40% of their time previously spent on rule setting.
Unquantified benefits from the study include:
Improved collaboration of security and fraud teams. Customers noted but could not quantify a positive impact on the level of collaboration between their security and fraud teams after deploying the product.
Reduced costs from decommissioned third-party bot-protection tools. Interviewees whose organizations had a prior bot-protection tool were able to decommission it after investing in F5 Distributed Cloud Bot Defense, saving those costs.
Resilience in times of increased online activity. Interviewees noted that the protection that F5 provides against automated attacks allowed their online presences to scale up with more resiliency during the massive increase in online activity during the COVID-19 pandemic.
Flexibility to expand to new use cases and markets. Interviewees also shared that they planned to expand the use of Distributed Cloud Bot Defense to new use cases, such as protection against screen-scraping, and to new geographic markets in the future.
“Now that we know what we know about the adversary, I don’t know that any level of staffing is going to be effective without tooling that resembles [Distributed Cloud Bot Defense].”
“With F5 Distributed Cloud Bot Defense, we’re blocking 97% of all malicious inbound traffic before it even gets to the application layer, which greatly reduces our customers’ risks.”
Bot management now means cost management. If done right, you can enhance operational efficiency, reduce business and financial risks, control IT spend, free up time for security teams and fraud analysts, and strategically manage partner bots with accurate detection and deflection, all while providing an improved customer experience.
Automated attacks represent an economic challenge that businesses and organizations must address for the sake of their bottom line and the safety of their business operations. To achieve their revenue goals, companies must protect their customers and clients from fraud and account takeover and relieve their security teams of manual and ineffective anti-bot workflows.
F5 Distributed Cloud Bot Defense prevents the fraud and abuse that can bypass existing bot control solutions and provides real-time monitoring and intelligence to protect organizations from automated attacks, without causing user friction or disrupting the customer experience. These protections help reduce costs due to fraud and economic impacts from malicious bot traffic while lowering customer support expenditures.
To learn more about the business impact of bot traffic to your organization, use our bot impact calculator to find out how much malicious bots are costing you in fraud, inventory manipulation, infrastructure expenses, employee burnout, and lost customers.
Sources:
1. Gene Kim, Patrick Debois, John Willis, Jez Humble, and John Allspaw. The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations. Portland, OR, IT Revolution Press, LLC, 2021.