Calculating the ROI of Effective Bot Management

Bots cost the average business 4.3% of online revenues every year – or $85 million for the typical enterprise – so it’s critical that businesses invest in finding the right bot protection solution.

If you’re coming up against resistance within your business when seeking to procure or upgrade your bot protection capabilities, this post will give you plenty of ideas for proving why better bot management is essential – in ways that matter to everyone in your organization.

Prioritizing Spend on Stopping Bots

While bot-related incidents such as credential stuffing attacks on 23andMe and DraftKings have garnered headlines, the mainstream attention they attract still falls below threats like ransomware.

When building a business case for preventing bot attacks, it’s helpful to highlight that while ransomware could affect your business – and attackers will tell you when they’ve succeeded – bot attacks are happening continually, and attackers will conceal their success for as long as possible. It takes most businesses four months to even realize a bot attack has occurred, costing the typical enterprise organization the equivalent of 57 average-sized ransomware attacks every year.

Building a Bot-Blocking Business Case

To acquire the necessary budget and resources for any new technology or project, you must prove there is a need and benefit to the business that justifies an investment. You probably know that bots are causing problems on your websites, apps and APIs, but you might not have quantified this formally yet.

This is a great place to start when it comes to prioritizing bot management at board level – and getting budget approved. Calculating financial harm caused by bots sounds simple, but there are far more ways bots cause damage than most realize. Many will stretch beyond your own remit into other areas of the business.

For example, you might be an infrastructure engineer with clear visibility of how much capacity overages cost each month, and who recognizes that bots are causing slowdowns at peak times (this is bad as sites that load within a second convert 2.5x more than sites that load in five seconds). But do you know how many customer support calls are caused by bots locking users out of their accounts, and what this costs each month? Do you know how bots affect customer churn, and the average cost of a lost customer?

Anyone can be a champion of bot management ROI in the business, but it’s important to communicate across silos and quantify the total cost of dealing with bots inadequately – not just the costs affecting your department.

Benchmarking the Cost of Bots

Extensive surveys over the past few years have revealed how much bots are costing businesses. These figures can serve as a guideline for your own organization, although it’s always best to do a more thorough calculation, since every business is different.

If you just want a quick estimate, you can refer to our “Death by a Billion Bots” report, containing independent research by Coleman Parkes. Enterprise businesses self-reported how much of their online revenue was lost to various types of bot attack each year.

To demonstrate, a typical business with a turnover between $250 million and $500 million loses 4.8% of their online revenues to scalper bots, 3.71% to credential stuffing bots, and 5% to fake account creation bots. You can use these statistics to generate a ballpark figure for your business, based on industry averages.

However, we recommend looking closely at your own data to come to a more accurate figure.

A Guide to Calculating the Cost of Bots

Before you calculate how much bots are costing your business, refer to the BLADE Framework and map out which bot attack types your business is vulnerable to. For example, if you have a login page anywhere on your site, you’re vulnerable to credential stuffing and account takeover. If you have a payment portal, you’re susceptible to card cracking, and so on.

Ready to find out how much bots are costing your organization? Our team can help you arrive at a number, but here’s a brief outline of the questions you need answers to and where you might find them.

From the security team

Security teams are often tasked with the most manual work in the wake of bot attacks, which can be an ongoing burden without proper solutions in place.

How many hours per month does your security team spend:

• Organizing and planning approaches to detecting bots?
• Manually analyzing potential bot attacks?
• Conducting forensic analysis of potentially compromised accounts?
• Configuring and updating bot blocking rules?
• Responding to urgent bot-related incidents?

From the digital & revenue team

Bots are a concern to any team that owns revenue targets because they commonly disrupt means of generating income. Because of their automated nature, bots can overwhelm websites and apps with huge volumes of unwanted requests. This can kill conversion rates by slowing page load times or cause extended outages during which no revenue can be made.

• How much revenue would your website or app lose out on per hour of downtime?
• How much would your conversion rate drop if page load times increased?

From the infrastructure team

Serving bot traffic wastes resources for no benefit. For one big box retailer client, Netacea identified 84% of traffic to their product API was malicious. Blocking this meant cutting tens of billions of requests to the API daily, significantly reducing their infrastructure needs.

• How many hours per month does your service go offline due to bots?
• What is the average cost to the business per hour of downtime?
• What percentage of your traffic is made up of bots?
• How much do you spend each month on running infrastructure to serve bot traffic?

For the software development team

Many legacy bot management solutions must be hardwired into your applications, making them labor-intensive to maintain up-to-date protection from the latest threats.

How many hours per month do developers spend:

• Updating bot management JavaScript on websites?
• Updating bot management SDKs in mobile applications?
• Testing updates to bot management solutions?

From the fraud team

Many bot attacks, especially carding, enable fraud. Your business is liable, directly or indirectly, for damage caused to customers or payment portals by these attacks.

• What is your average card authorization fee?
• How many fraudulent transactions are attempted per month?
• How many hours per month do you spend investigating potentially fraudulent transactions?
• How many accounts are compromised per month?
• What percentage of compromised accounts result in monetary loss for the business?
• What is the average amount of money lost per compromised account?

From the customer service team

Bot attacks like account takeover have a direct impact on customers that require your customer support team to step in and resolve. Costs of large attacks become significant when support calls cost businesses £6.26 each on average.

How many customer support calls per month are caused by:

• Customer accounts being stolen or locked?
• Loyalty points being stolen or spent without authorization?
• Gift card codes being used without authorization?
• Problems at checkout due to bots (e.g. items instantly sold out)?
• The use of stolen credit cards on your site?
• What is the average cost of a support call to resolve these customer complaints?

From the customer retention team

Ultimately, bots impact customer satisfaction. On average, 88% of businesses say bots impacted customer satisfaction in 2022, with 22% of these stating customer satisfaction had dropped 6% or more as a direct result.

• What is your customer lifetime value?
• What is the churn rate for customers affected by bot attacks?
• What is the churn rate for customers mistaken for bots and blocked as false positives?

From the merchandising team

Suppliers want their stock in the hands of genuine customers – these items appearing on secondary sites at a markup is detrimental to their brand.

• How much revenue would you lose if brand partners pulled stock lines due to scalping?

From the legal team

Under GDPR regulations, the ICO can fine businesses up to 20 million euros, or up to 4% of their total global turnover of the preceding fiscal year, whichever is higher.

• How much has your business paid / would your business be liable to pay in compliance fines if customer data was exposed by a bot attack?

What To Do Once You Have This Data

Once you have the sum of all these figures across a particular time frame – which will likely be per month or year – you will have a convincing benchmark for how much budget the business should dedicate to bot management.

If you already have a bot management tool in place but are still suffering losses in these areas, it’s time to review the level of protection you’re receiving. Bots are constantly evolving and developing new ways to camouflage within normal traffic or bypass controls. Your current tools could be missing a huge proportion of the bot traffic hitting your website.

How Netacea Bot Protection Delivers Value to Your Business

Thanks to our AI-driven bot protection technology, Netacea detects as many as 33 times more bots than competitors.

We achieve more accurate detection and negligible false positives (0.001%) by analyzing every single web request across websites, mobile apps and APIs with our invisible agentless integration. Our patented machine learning models flag known bad bot behaviors and categorize previously unseen anomalies in real-time. This technology is enriched by our cutting-edge threat research, allowing us to profile attackers, unravel their tools and predict their next moves.

Our agentless technology also means no code to install or maintain, protecting you from bots autonomously without needing to modify rulesets manually. All this saves valuable hours for your teams whilst always delivering up-to-date protection.

Crucially, upgrading to Netacea Bot Protection reduces customer churn by stopping bots from stealing accounts, affecting site performance and uptime, or snatching stock.

Book a demo of Netacea today.