Large companies are getting bombarded by approximately 530 bot attacks per day, and the vast majority of more than 200 firms surveyed have at least one person on their security teams devoted solely to bot defense, according to Osterman Research Inc.
Osterman, a Black Diamond, Wash.-based research firm that works with tech companies, was commissioned by Sunnyvale, Calif.-based fraud-control services provider Cequence Security to learn about how companies are defending themselves against bot attacks. Such attacks come from malicious software applications designed to run repeated code on their own. Bots can unleash massive attacks on the login pages of retailers, financial institutions, or any organization with personal or financial data accessible through the Internet.
Osterman gathered data in August and September from 211 organizations with at least 1,000 employees; the mean number of employees per firm was nearly 17,000. All had externally-facing login pages accessible through the Web, a mobile interface, or application programming interfaces.
Bots can generate many thousands of malicious log-in attempts per hour in their attempts to steal credentials or other data. Surveyed organizations defended against a mean of 3,712 targeted bot attacks per week.
“Companies in our research have deployed an average of 482 different applications, on premises or in the cloud, and they are being targeted more than 500 times each day,” Michael Osterman, chief executive of Osterman Research, said in a news release.
Account takeovers are one of the most common forms of fraud associated with bot attacks. Half the companies surveyed reported the impact of bot-related account takeovers as “serious/damaging” or “very serious/damaging,” more than any other of nine possible impacts. In second place were application digital denial of service impacts, reported as serious/damaging or very serious/damaging by 45% of respondents.
Some 90% of the organizations had deployed Web application firewalls as important parts of their online defense, and 85% said they had at least one person devoted to fending off bots. Still, organizations reported spending an average of 2,880 minutes (48 hours) to detect a bot attack, plus another 48 hours to mitigate the event, the release says. Based on their reported labor costs, it means enterprises are spending more than $177,000 annually on personnel to manage bot attacks.
The report says first-generation bot-management tools can reduce detection time to 10 hours, but they still need 48 hours for mitigation.