Australian website owners are clueless as to whether their sites are being accessed by humans or bots and it’s creating an unprecedented security threat.

Web security company Kasada has released its Bots Down Under report, giving insight into how bots are causing a spike in credential abuse attacks, which in 2018 represented the third-largest source of reported data breaches.

“Bot visibility” emerges as a significant factor in the report, with the revelation that 90% of Australia’s top 250 websites (according to Alexa rankings) are unable to differentiate a customer from a bot on login pages.

Additionally, 86% of the websites failed to detect a script loading the login page, leaving them vulnerable to “credential abuse” attacks.

This illustrated a lack of security controls in place to differentiate between human users and scripts, the report claims, and attributes these high results to the relative infancy of credential abuse attacks resulting in businesses not yet being adjusted.

It also hypothesises that businesses mistakenly believe that their web application firewall will prevent such attacks and that companies are relying on reactive controls such as password locks to prevent such attacks.

“Attacks, particularly credential abuse, have the capacity to comprise everything from a customer’s personal information to business and even national security,” said Kasada CEO Sam Crowther.

“As many aspects of our lives are global – and much of our information now lives online – this shift places tremendous emphasis on businesses to protect and defend against potential threats.”

The study also captured data from more than 100 attacks to gain insight into “bot geography”.

And the findings revealed that most credential abuse attacks are local, with 90% of the attacks sent via Australian ISP networks.

What’s the cost?

The report estimates that the average cost of a credential abuse attack now sits at around $2 million per breach, when time, compensation and customer churn are considered.

Additionally, the reputational damage of reporting data is now a significant ‘cost’ for impacted businesses.