As automated attacks ramp up, cybersecurity and fraud prevention shouldn’t be two different worlds

Could a robot army be any more annoying?

So-called bad bots unleashed by cybercriminals now account for almost 75% of internet traffic, according to a recent study. Their top five attack categories: fake accounts, account takeovers, scraping, account management, and in-product abuse.

Gavin Reid is on the front line of this assault. He’s chief information security officer of HUMAN Security, which helps clients in a range of industries stop online fraud that’s often automated via bots.

For its customers, HUMAN distinguishes bad bots from good ones, which perform helpful tasks like customer service and content moderation. The bad guys are hogging the spotlight. Last year alone, Reid tells me, his New York–based company saw a fivefold jump in malicious bot activity.

That’s hurting businesses and brand trust.

“We’re seeing customers come to us because they’re getting fleeced by these bots,” says Reid, the CISO whose firm’s clients include Priceline, Wayfair, and Yeti. A typical scenario he hears: “I put out a new whatever to sell on my platform, and 80% of all the traffic were bots, and normal people couldn’t even get there.”

Thanks to generative AI, it’s easy for criminals to create bots that convincingly mimic humans online, Reid explains. That makes it “really, really hard for companies like us and people to defend their infrastructure from attacks and to enable users to buy stuff.”

There’s little about defending against automated attacks in any of the security compliance regimes that organizations follow, Reid says. That includes the security operations center (SOC)—the team responsible for detecting, analyzing, and responding to cyber threats—and International Organization for Standardization (ISO) guidelines.

“I feel like we’re in a bit of a gap,” Reid says. “And when we have a gap, then miscreants take advantage of that and use it against us.”

Mistrust within companies could be making the problem worse.

In some businesses, cybersecurity and fraud prevention are still siloed. That doesn’t add up for Reid, who points out that times have changed.

“Let’s face it: Financial fraud—or whatever business fraud—most of it is happening online,” he says. “So having these groups separated out doesn’t help at all.”

Then why does it persist?

“Usually, it has to do with political reasons and org structures, not what makes sense for solving this particular problem,” Reid says.

The divide is more common among older organizations, he notes. For example, the big U.S. banks typically have separate fraud and cyber divisions. That’s because they started out with teams that handled old-school crimes like stickups and check fraud, then later launched cybersecurity groups to combat online offenses such as hacking, phishing, and ransomware.

But the wall is coming down. Most large financial institutions now operate a “fusion center” that sees both sides join forces, Reid says. “It’s continuing to merge, but it’s happening slowly.”

For businesses seeking a more collaborative cybersecurity and fraud strategy, Reid suggests following the banks’ lead. “It’s like they’re getting into the pool together,” he says of the two departments. “So they can keep their structure, they can keep the politics, but the actual people that are dealing with the day-to-day issues can work very closely together.”

A second step: “Single leadership that would be responsible for the delivery of both,” ensuring shared access to tools and capabilities, Reid says.

No if, ands, or bots about it.

Nick Rockel
nick.rockel@consultant.fortune.com

This story was originally featured on Fortune.com