Can Your Business Justify the Cost of Bot Management?

‘Measure the Real Cost of Cybersecurity Protection’, by Gartner® analysts Stewart Buchanan, Paul Proctor and Bryan Hayes, is available for a complimentary download from the Netacea website until 31st August 2022.

We think the report teaches how to use outcome-driven metrics to set protection-level agreements (PLAs), gaining business stakeholder support and the budget approval needed to deliver them.

CIOs and teams focused on IT risk and value must factor cost into making cybersecurity business decisions and must look beyond IT to work with decision makers across business units.

This applies to bot management just as much as any other layer of security, so in this blog post we share some of the Gartner® report’s key recommendations as we understand them in the context of bot management.

Is the cost of bot management proportionate to the protection you get?

The Gartner® report introduces the concept of protection-level agreements, or PLAs.

According to ‘Measure the Real Cost of Cybersecurity Protection’, “PLAs are based on outcome-driven metrics that measure the level of protection delivered by security controls.” Like service-level agreements, PLAs are designed to define how much protection is required or expected, so that the cost to deliver this can be determined proportionally.

It’s often been difficult to justify cybersecurity spend because it’s typically invisible to most business units. Many people in organizations only notice cybersecurity measures in response to an attack that’s already happened, whereas in reality the spend can be justified by considering prevented attacks.

Setting PLAs quantifies the protection cybersecurity provides to each business unit by defining the losses that are likely to occur were they not in place.

How do you set protection-level agreements for bot management?

There are many tangible financial impacts bot attacks have on businesses reaching across various departments. We can use these to help create PLAs for bot management. For example:

• A high volume of requests by malicious bots (for example, web scraping or credential stuffing) can be attributed against spend on server usage
• Each account stolen by an account takeover attack costs time and money to repatriate to users via customer service teams
• Stock lost to scalpers via bots harms reputation in the press and on social media, harming customer loyalty figures
• Ad fraud bots cause ad spend to be wasted on bots interacting with paid adverts instead of people

With these risks factored in, PLAs can be set, for example: ‘90% of scraping activity removed for a certain amount of spend per year’.

Which business units rely on protection from bot management?

With so many use cases for bot management, it’s easy to see why people from different departments get confused about whether stopping bots is their responsibility.

The most likely answer, according to the advice we interpret from the Gartner® report, is that these business units should work with IT teams to set out what is an acceptable level of risk due to bot activity, and how much budget can be allocated to stop these potential consequences.

Here are some non-IT business units that should be setting bot management PLAs:

eCommerce

Scalping is a major concern for eCommerce departments. Carefully planned releases and stock allocations can quickly be disrupted by high-volume scalper traffic snatching inventory or adding items to baskets to make them unavailable to real customers. This damages the eCommerce department’s ability to forecast stock requirements or demand levels.

Pricing decisions can also be affected by this fake traffic and demand, and sales figures harmed if scraper bots steal pricing information to allow competitors to undercut prices.

Marketing

40% of brands plan to increase their data-driven marketing budgets in 2022, yet much of the data about visitor habits is driven by traffic that is largely non-human. Many bots mimic human behaviors, such as the way they navigate through websites and apps; this, combined with the fact in some cases bot traffic can make up over 50% of overall traffic, means this data is often unknowingly skewed and can lead to incorrect campaign decisions.

In fact, Netacea’s Bot Management Review 2022 revealed that skewed marketing analytics from bots costs businesses 5% of their revenue, up 1% from 2021.

Security and fraud

Perhaps an obvious inclusion, but one of the most important. Bots are used extensively to help adversaries commit various types of fraud by gaining access to accounts via means such as credential stuffing and card cracking at scale. With online fraud on the rise, bot management is an essential defensive tool for fraud teams in 2022 and in the future, so PLAs are sorely needed.

Measuring the real cost of bot management solutions

As with any third-party tool or service, there’s not just the upfront price of the tool to consider when setting a PLA for bot management – there are also operational costs to consider.

Bots are a moving target, and business logic is not something that can be patched like a traditional security exploit. eCommerce sites will always need checkout functionality, and organizations with user accounts will always need login forms; the only way to stop bots is to identify them from real users and block their requests to the server.

Most bot management solutions set rules to determine what characteristics mark a user out as a bot, for example their device fingerprint or even the way they move a mouse across a website. As these signals are usually detected on the client side, bot operators unfortunately have full visibility of these measures, which means they know what security tools are looking for and can adapt to bypass defenses.

As a result, security teams are forced to revise rules and policies continually and often manually, updating code across their estate to keep bots at bay. This requires a lot of internal resource to manage, sometimes needing a whole team, including out-of-hours callouts to deal with aggressive bot attacks.

In Netacea’s case, our Intent Analytics® engine evaluates the intent of each visitor to determine whether they are benign or malicious. Guided by our in-house team of bot experts, customized machine learning algorithms adapt to new attacks and block in real time, saving out-of-hours calls or the need for a whole team dedicated to fighting fires or configuring block lists by hand. This in turn cuts operational costs and frees teams for other tasks.

Gartner®, Measure the Real Cost of Cybersecurity Protection, By Stewart Buchanan, Paul Proctor, Bryan Hayes, 30 March 2022

GARTNER® is a registered trademark and service mark of Gartner®, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner® disclaimer and attribution information