The rush to meet customer needs online in 2020 left many organizations exposed to automated bot attacks. Here’s a closer look at the lesser-known risks, and what IT leaders can do to help protect businesses against future threats.
The businesses that power our society shift more of their activities online every year, in a digital transformation that has gone on for decades. For much of the time, this transition has followed a steady pace, with organizations moving online when they felt ready. Until 2020.
The COVID-19 pandemic forced almost all businesses to become online businesses, ready or not. But when businesses move quickly, they sometimes leave themselves vulnerable to security threats. And some of today’s online threats, perpetrated by armies of automated internet robots simulating human activity, or bots, can pose an even greater risk to your business than you may have accounted for.
“Many businesses focus on the types of attacks that are commonly in the news, rather than the attacks that can cause the most damage to their bottom lines.” — Forrester Consulting,
State Of Online Fraud And Bot Management
Most businesses build their online security strategy around preventing the most well-known and notorious online threats, like a distributed denial of service (DDoS) attack, or a hack aiming for a major data breach. But there’s more to de-risking your online business than just preventing these most visceral of disasters. Your security strategy must also address less visible risks that might not be on your radar, but have just as much potential to impact your business in a major way. Below, we’ll explore three examples of those types of risks, and how you can detect and defend against them.
Related: The new cloud security podcast by Google is here
1. Small-scale fraud with big risk
Front-line mechanisms that defend an application against well-known attacks like SQL injection or DDoS aren’t sufficient anymore. Security measures like DDoS protection, web application firewalls (WAFs), and content delivery networks (CDNs) are now commonplace. But full-time fraudsters didn’t just give up their hustle because the world changed. They are as dedicated to their craft as you are to your business. And just as your business has evolved to keep pace with the times, fraudsters have evolved as well.
For most businesses, the risk that is now unaccounted for is falling victim to attacks that exploit the logic of the application itself. These attacks are smaller in scale, automated, and can’t be as easily detected, carried out by bots that seek out any weakness or vulnerability in your organization’s online presence. Even if you have measures in place like DDoS protection, a WAF, or a CDN, you could still be vulnerable to this new threat vector.
2. Ecommerce risk
Imagine a large retailer that formerly conducted the majority of its business in person but maintained a digital sales channel as well. Due to COVID-19, most companies like this have worked to move the majority of their business online. Their checkout pages, with forms for credit card data and personal information, are a prime target for fraud.
“Current approaches to bot management leave businesses playing whack-a-mole. 56% of decision-makers note that their fraud management team struggles to keep up with the volume of attacks.” — Forrester Consulting,
State Of Online Fraud And Bot Management
Bots will fill online carts with items and abandon them just to test the security of the checkout process, reducing inventory available to real customers. They’ll spam login attempts on a sign-in page using stolen credentials from another site. They’ll scrape the store’s entire website and seek out details that can be used to create fraudulent applications for loans, credit cards, or other forms of identification. Or they’ll use that scraped data to create a duplicate version of the site in an attempt to fool customers into giving up their own payment data, damaging the real business’s reputation in the process.
Related: Get the highlights from our new whitepaper, “CISO’s guide to Cloud Security Transformation.”
3. Reputation risk
Fraud typically costs businesses 1-10% of their annual revenue. But the bottom line isn’t the only thing affected by bot-based fraud. As more of your business moves online, more of your customer interactions take place online, too—which means your IT team has to spend an increased amount of time fighting off a deluge of automated bot attacks or repairing broken application logic.
This ultimately takes your IT team away from more fulfilling and important work, which can negatively impact both the company and employee morale. When frustrated customers are unable to buy things because inventory is showing up as unavailable or payments are not able to be processed, your customer service team has to deal with it, and your support reps can become frustrated by problems they can’t solve. And when customers get stumped just trying to interact with your website, it damages your brand, retention, and trust.
Taking the next steps: 4 ways to drive success in bot management programs
The fact is, the vast majority of businesses are unprepared to defend against bot attacks, or even to detect them at all. When your online risk mitigation strategy is only focused on defending against the biggest—but rarest—types of attacks, you may not even realize how vulnerable you are to smaller, more common attacks like bot fraud.
As an IT leader, here are four key things you can do to protect your organization from bot attacks, future-proof your business, and drive success in your bot management programs, according to this Forrester Consulting report commissioned by Google:
- Use the bot challenge to break down organizational silos. Align across these different teams to understand your organization’s bot risk and enumerate requirements for a bot management solution. Ensure that marketing and ecommerce teams notify their security and fraud teams about upcoming campaigns and sales events that could lead to bot attacks. Send both weekly and ad hoc reports on bot trends and particular bot incidents to all concerned parties.
- Make the leap to a holistic bot management solution. Look for a bot management solution that can detect even the most sophisticated bots, keep up with bots as they evolve to evade detections, and employ a range of responses to deflect the attacks. Consider the impact of your chosen solution on your customers’ experience, and avoid adding friction to legitimate customer interactions. Also look for solutions that give your internal team quick visibility into bot traffic and enable a rapid response to bot attacks.
- Expand bot protections to address a broader set of possible attacks. Make sure your bot management solution can address the full range of bot-based threats, and build bots into your risk assessments. At least quarterly, review the content, products, and services that your applications offer to identify any that could become desirable bot targets.
- Keep customer experience and employee experience top of mind. Track false positives and customer usage metrics carefully, and review those weekly to make sure that frustrating challenges aren’t turning customers away. At the same time, continue to measure the number of bot incidents and internal response costs to track whether your bot management implementation is in fact reducing the number of incidents and the time your team spends in remediation.
If yours is one of the leading companies that have successfully adapted to major changes in the way you need to serve customers, you’ve made an extraordinary accomplishment already. But now that online business has become your primary means of business, you must safeguard against the new and more prevalent risks associated with this interaction model.
The COVID-19 pandemic will someday come to an end, but the risks posed to online businesses will not. Your risk strategy must evolve to keep pace with the evolution of fraud.
Read this next: Learn how reCAPTCHA Enterprise protected customers during the holidays.