Australian companies are incurring annual losses of up to US$2 billion due to vulnerabilities in application programming interfaces (APIs) and bot-driven cyberattacks, according to a report from cybersecurity firm Imperva, a Thales company.
The report, titled “Economic Impact of API and Bot Attacks,” attributed one in four cybersecurity incidents in Australia to these growing threats.
The study, conducted by Marsh McLennan’s Cyber Risk Intelligence Center, analysed over 161,000 cybersecurity incidents worldwide.
The study found that the Asia-Pacific (APAC) region, which includes Australia, accounted for 17.7% of all API and bot-related security breaches in 2023, resulting in more than US$16.6 billion in business losses. Australia is facing significant risks as API use continues to rise across sectors.
Larger organisations are particularly affected, with enterprises generating over US$1 billion in revenue two to three times more likely to be targeted by automated API abuse compared to smaller businesses. The growing complexity and scale of API ecosystems in these larger firms is a key factor behind their increased exposure to attacks.
APIs, which connect various software applications, are essential for modern business operations but are increasingly targeted by cybercriminals.
Imperva Threat Research, cited in the report, noted that in 2023 the average enterprise managed 613 API endpoints, and this number is expected to increase as companies further digitise their operations.
The report highlighted that bots, which automate many aspects of cyberattacks, are a major source of risk to API security. Automated bot-driven attacks accounted for 30% of global API security breaches in 2023, with bot-based abuse of APIs contributing to as much as US$17.9 billion in global financial losses.
Reinhart Hansen (pictured), director of technology for APAC and Japan at Imperva, noted that many companies across the APAC region are unaware of the extent to which malicious bot traffic is undermining their infrastructure and operations.
“Business leaders can’t manage this risk if they’re unaware of it or don’t fully understand it,” he said.
He stressed that many businesses do not have full visibility into their API assets, leaving them vulnerable to attacks that could lead to data breaches or significant operational disruptions.
Imperva’s findings align with recent data from the Office of the Australian Information Commission (OAIC), which revealed that Australia is experiencing a sharp rise in data breaches.
The OAIC reported 527 breaches in the first half of 2024, marking a 9% increase compared to the previous six months, the highest number recorded since late 2020.
The healthcare and government sectors were the hardest hit, reporting the highest number of breaches.
Malicious attacks, particularly cyberattacks, accounted for 67% of all breaches reported in the OAIC’s latest data. The medical data provider MediSecure was responsible for one of the largest breaches during this period, affecting approximately 12.9 million Australians.
The OAIC is now pushing for higher levels of accountability from businesses, as the Australian government moves forward with the Privacy and Other Legislation Amendment Bill 2024.
The bill seeks to enhance the OAIC’s enforcement powers and introduce stricter penalties for companies that fail to adequately protect personal data. It would also clarify security obligations under the Australian Privacy Principles, including requirements for stronger data encryption and enhanced employee training.