API insecurity and the rise of automated bot abuse are wreaking havoc on Australian businesses, racking up a staggering $2 billion in annual losses. The alarming trend was highlighted in a recent report from cybersecurity firm Thales, which pinpoints four major incidents contributing to these costs.
The Asia-Pacific region is particularly hard-hit, accounting for 17.7% of global API and bot-related security breaches in 2023, leading to over $16.6 billion in losses worldwide.
Australia’s share is significant, with 14% of global API attacks and a striking 24% of bot-related incidents, making it one of the most affected areas, second only to Africa.
Organisations are more susceptible to these security threats.
Companies with revenues exceeding $1 billion face 2-3 times the risk of automated API abuse compared to their smaller counterparts. The increased vulnerability stems from the intricate and expansive nature of their API ecosystems.
Enterprises are managing an average of 613 API endpoints—an impressive number that’s growing rapidly as businesses strive to enhance their digital services.
However, this growing reliance on APIs, coupled with their access to sensitive information, makes them prime targets for bot operators looking to exploit vulnerabilities.
As the landscape of cybersecurity continues to evolve, it’s crucial for businesses to bolster their defenses against these threats, ensuring that their digital transformations don’t come at the cost of security.
In 2023, automated threats represented a staggering 30% of all global API attacks, according to Imperva Threat Research. These automated API abuses by bots are costing organisations up to $17.9 billion annually.
The surge in API use in production is a key factor, as cybercriminals increasingly employ bots to exploit API business logic, bypass security measures, and steal sensitive data.
Thales further highlights the rapid adoption of APIs, combined with a lack of experience among many API developers and insufficient collaboration between security and development teams, leading to insecure APIs that now result in losses of up to $87 billion per year—a $12 billion increase since 2021.
The proliferation of attack tools and generative AI has empowered even low-skilled attackers, enabling them to launch sophisticated bot attacks with ease. Reports estimate that automated attacks by bots contribute to a staggering $116 billion in losses annually.
As a result, API and bot-related security incidents are on the rise, with API-related incidents increasing by 40% and bot incidents spiking by 88% in 2022.
The following year saw a 9% growth in API incidents and a 28% rise in bot-related threats. It’s clear that as the digital landscape evolves, so too does the urgency for robust security measures.
According to Imperva director of technology, Asia Pacific and Japan Reinhart Hansen many businesses across APJ are unaware that undesirable bot traffic is impacting their bottom line by targeting their applications, APIs, and infrastructure.
“Business leaders can’t manage this risk if they’re unaware of it or don’t fully understand it,” said Hansen.
“The same can also be said about lack of visibility across an organisation’s API endpoint assets and the data they exchange, internally, publicly, and directly with third parties,”
“Without an accurate and continuously updated API endpoint inventory and security assessment, organisations remain open to significant security risks, such as large-scale data loss and exfiltration.” he said.
Insecure APIs and bot attacks represent a serious threat to large enterprises, particularly those with revenues of at least $100 billion.
These companies are especially vulnerable to security incidents tied to insecure APIs and bot exploitation, highlighting the urgent need for enhanced security measures in their digital ecosystems.
““API ecosystems will continue to grow exponentially, driving connections to generative AI applications and large language models.”
“In parallel, cybercriminals will leverage emerging technologies to create sophisticated bots at an accelerated and alarming pace,”
“Business leaders should take proactive measures to assess and interpret the potential risk to their bottom line and adopt a holistic solution that covers the entire application landscape without impacting the end-user experience, concluded Hansen.”
The rising annual losses linked to API insecurity and automated abuses present a pressing challenge for Australian businesses.
As cybercriminals increasingly exploit vulnerabilities in API ecosystems, it is essential for organisations to prioritise robust security measures and foster collaboration between development and security teams.
In 2023, malicious bot traffic in Australia increased to 30.2%, while both good and bad bots now represent 36.4% of the country’s total internet traffic in 2024.
